-TVBUF
-TVSTREAM
-TVSTREAM_POPEN_ARGS
--TVSTREAN_POPEN_ARGS
-TVSTRING
-TWAIT_STATUS_T
-TWATCHDOG
-TX509_NAME
-TX509_STORE_CTX
-TXSASL_CLIENT
+-TXSASL_CLIENT_CREATE_ARGS
-TXSASL_CLIENT_IMPL
-TXSASL_CLIENT_IMPL_INFO
-TXSASL_CYRUS_CLIENT
-TXSASL_DOVECOT_SERVER_IMPL
-TXSASL_DOVECOT_SERVER_MECHS
-TXSASL_SERVER
+-TXSASL_SERVER_CREATE_ARGS
-TXSASL_SERVER_IMPL
-TXSASL_SERVER_IMPL_INFO
-Tcipher_probe_t
compatibility. Adding such headers to remote mail can break
DKIM signatures that cover headers that are not present.
File: cleanup/cleanup_message.c.
+
+20090415
+
+ Workaround: to avoid unnecessary "fatal" delivery agent
+ exits, delivery agents retry getting a shared lock on a
+ queue file. This is necessary since the queue manager's
+ behavior was changed years ago to refill the in-memory
+ recipient list before it was completely empty. File:
+ global/deliver_request.c.
+
+ Documentation: updated STRESS_README.
+
+20090416
+
+ Workaround: some AWK implementations have a limit of 10
+ output files and lack a working close() function. It is too
+ much trouble to find out what systems have this limitation,
+ and where, if any, such systems store their XPG4-compatible
+ AWK program. So instead we generate a stream of here
+ documents and let the shell split the stream into files.
+ File: postconf/extract.awk.
+
+ Documentation: clarification of certificate file usage.
+ Victor Duchovni. Files: proto/postconf.proto,
+ proto/TLS_README.html.
+
+ Feature: pass a "TLS is active" flag to the server-side
+ SASL support. Based on code by Timo Sirainen, except that
+ the implementation uses an extensible API so that it will
+ be less painful to add more attributes in future Postfix
+ versions. Files: xsasl/xsasl.h, xsasl/xsasl_*server.c,
+ smtpd/smtpd_sasl_glue.c.
+
+20090417
+
+ Documentation: re-generate READMEs and manpages for updated
+ hyperlinks.
+
+ Documentation: missing hyperlinks and missing parameters
+ in manpages. File: mantools/postlink, mantools/check-postlink.
+
+20090418
+
+ Cleanup: use the extensible API to pass SMTP client address
+ information to the dovecot SASL plugin, and prepare for
+ passing server address information. Files: xsasl/xsasl.h,
+ xsasl/xsasl_dovecot_server.c, smtpd/smtpd_sasl_glue.c.
+
+ Same extensible API transformation for the SASL client-side
+ code to make future extensions less painful. Files:
+ xsasl/xsasl.h, xsasl/xsasl*client.c, smtp/smtp_sasl_glue.c.
+
+ More postlink fixes. File: mantools/postlink.
* TLS_README: TLS Encryption and authentication
* TLS_LEGACY_README: Legacy TLS support
* IPV6_README: IP Version 6 Support
+ * MULTI_INSTANCE_README: Multiple-instance management
* INSTALL: Installation from source code
P\bPr\bro\bob\bbl\ble\bem\bm s\bso\bol\blv\bvi\bin\bng\bg
attribute, sends the attribute with an empty value ("name="), or sends a
zero value ("name=0") in the case of a numerical attribute.
- * The "recipient" attribute is available only in the "RCPT TO" stage, and in
- the "DATA" and "END-OF-MESSAGE" stages when Postfix accepted only one
- recipient for the current message.
+ * The "recipient" attribute is available in the "RCPT TO" stage. It is also
+ available in the "DATA" and "END-OF-MESSAGE" stages if Postfix accepted
+ only one recipient for the current message.
* The "recipient_count" attribute (Postfix 2.3 and later) is non-zero only in
the "DATA" and "END-OF-MESSAGE" stages. It specifies the number of
O\bOv\bve\ber\brv\bvi\bie\bew\bw
-This document describes the symptoms of Postfix SMTP server overload, and how
-to avoid the condition under normal conditions. When the condition is caused by
-botnets or other malware, the document suggests configuration settings that
-help to minimize the impact on legitimate mail. Finally, the document
-introduces stress-adaptive behavior, introduced with Postfix 2.5, and how it
-can be used to automatically switch configuration settings under overload.
+This document describes the symptoms of Postfix SMTP server overload. It
+presents permanent main.cf changes to avoid overload during normal operation,
+and temporary main.cf changes to cope with an unexpected burst of mail. This
+document makes specific suggestions for Postfix 2.5 and later which support
+stress-adaptive behavior, and for earlier Postfix versions that don't.
Topics covered in this document:
* Service more SMTP clients at the same time
* Spend less time per SMTP client
* Disconnect suspicious SMTP clients
- * Take desperate measures
- * Make Postfix behavior stress-adaptive
+ * Temporary measures for older Postfix releases
+ * Automatic stress-adaptive behavior
* Detecting support for stress-adaptive behavior
* Forcing stress-adaptive behavior on or off
+ * Other measures to off-load zombies
* Credits
S\bSy\bym\bmp\bpt\bto\bom\bms\bs o\bof\bf P\bPo\bos\bst\btf\bfi\bix\bx S\bSM\bMT\bTP\bP s\bse\ber\brv\bve\ber\br o\bov\bve\ber\brl\blo\boa\bad\bd
-Under normal conditions, Postfix responds immediately when a remote SMTP client
-connects. The time needed to deliver mail should be noticeable only with very
-large messages. Performance degrades more dramatically when the number of
-remote SMTP clients exceeds the number of Postfix SMTP server processes. When a
-client connects while all server processes are busy, the client must wait until
-a server process becomes available.
+Under normal conditions, the Postfix SMTP server responds immediately when an
+SMTP client connects to it; the time to deliver mail is noticeable only with
+large messages. Performance degrades dramatically when the number of SMTP
+clients exceeds the number of Postfix SMTP server processes. When an SMTP
+client connects while all Postfix SMTP server processes are busy, the client
+must wait until a server process becomes available.
-Overload may be caused by a legitimate mail (example: a DNS registrar opens a
-new zone for registrations), by mistake (mail explosion caused by a forwarding
-loop) or by illegitimate mail (worm outbreak, botnet, or other malware
-activity). Symptoms of Postfix SMTP mail server overload are:
+SMTP server overload may be caused by a surge of legitimate mail (example: a
+DNS registrar opens a new zone for registrations), by mistake (mail explosion
+caused by a forwarding loop) or by malice (worm outbreak, botnet, or other
+illegitimate activity).
+
+Symptoms of Postfix SMTP server overload are:
* Remote SMTP clients experience a long delay before Postfix sends the "220
- hostname.example.com ESMTP Postfix" greeting. If this affects end-user mail
- clients, enable the "submission" service entry in master.cf (present since
- Postfix 2.1), and tell users to connect to this instead of the public SMTP
- service.
+ hostname.example.com ESMTP Postfix" greeting.
+
+ o NOTE: Broken DNS configurations can also cause lengthy delays before
+ Postfix sends "220 hostname.example.com ...". These delays also exist
+ when Postfix is NOT overloaded.
- o NOTE: Broken DNS configurations also cause lengthy delays before
- Postfix sends "220 hostname.example.com ...". In this case the delay
- happens even when Postfix is not busy.
+ o NOTE: To avoid "overload" delays for end-user mail clients, enable the
+ "submission" service entry in master.cf (present since Postfix 2.1),
+ and tell users to connect to this instead of the public SMTP service.
* The Postfix SMTP server logs an increased number of "lost connection after
CONNECT" events. This happens because remote SMTP clients disconnect before
Postfix answers the connection.
- o NOTE: A portscan for open SMTP ports also results in "lost connection
- ..." logfile messages.
+ o NOTE: A portscan for open SMTP ports can also result in "lost
+ connection ..." logfile messages.
* Postfix 2.3 and later logs a warning that all server ports are busy:
condition, increase the process count in master.cf or reduce the
service time per client
-Legitimate mail that doesn't get through during an episode of overload is not
-necessarily lost. It should still arrive once the situation returns to normal,
-as long as the overload condition is temporary.
+Legitimate mail that doesn't get through during an episode of Postfix SMTP
+server overload is not necessarily lost. It should still arrive once the
+situation returns to normal, as long as the overload condition is temporary.
S\bSe\ber\brv\bvi\bic\bce\be m\bmo\bor\bre\be S\bSM\bMT\bTP\bP c\bcl\bli\bie\ben\bnt\bts\bs a\bat\bt t\bth\bhe\be s\bsa\bam\bme\be t\bti\bim\bme\be
-To service more SMTP clients simultaneously, you need to increase the number of
-SMTP server processes. This will improve the responsiveness for remote SMTP
-clients, as long as the server machine has enough hardware and software
+One measure to avoid the "all server processes busy" condition is to service
+more SMTP clients simultaneously. For this you need to increase the number of
+Postfix SMTP server processes. This will improve the responsiveness for remote
+SMTP clients, as long as the server machine has enough hardware and software
resources to run the additional processes, and as long as the file system can
keep up with the additional load.
operating system that supports kernel-based event filters (BSD kqueue(2),
Linux epoll(4), or Solaris /dev/poll).
- * You can reduce the Postfix memory footprint by using cdb: lookup tables
- instead of Berkeley DB's hash: or btree: tables.
+ * More processes use more memory. You can reduce the Postfix memory footprint
+ by using cdb: lookup tables instead of Berkeley DB's hash: or btree:
+ tables.
1 /etc/postfix/main.cf:
2 # Raise the global process limit, 100 since Postfix 2.0.
S\bSp\bpe\ben\bnd\bd l\ble\bes\bss\bs t\bti\bim\bme\be p\bpe\ber\br S\bSM\bMT\bTP\bP c\bcl\bli\bie\ben\bnt\bt
When increasing the number of SMTP server processes is not practical, you can
-improve Postfix server responsiveness by eliminating unnecessary work. When
-Postfix spends less time per SMTP session, the same number of SMTP server
-processes can service more clients in the same amount of time.
+improve Postfix server responsiveness by eliminating delays. When Postfix
+spends less time per SMTP session, the same number of SMTP server processes can
+service more clients in a given amount of time.
* Eliminate non-functional RBL lookups (blocklists that are no longer in
operation). These lookups can degrade performance. Postfix logs a warning
BACKSCATTER_README for examples of the latter.
* Group your header_checks and body_checks patterns to avoid unnecessary
- pattern matching operations.
+ pattern matching operations:
1 /etc/postfix/header_checks:
2 if /^Subject:/
3 /^Subject: virus found in mail from you/ reject
- 4 /^Subject: ..../ ....
+ 4 /^Subject: ..other../ reject
5 endif
6
7 if /^Received:/
8 /^Received: from (postfix\.org) / reject forged client name in
received header: $1
- 9 /^Received: from .../ ....
+ 9 /^Received: from ..other../ reject ....
10 endif
D\bDi\bis\bsc\bco\bon\bnn\bne\bec\bct\bt s\bsu\bus\bsp\bpi\bic\bci\bio\bou\bus\bs S\bSM\bMT\bTP\bP c\bcl\bli\bie\ben\bnt\bts\bs
by hanging up on suspicious clients, so that other clients get a chance to talk
to Postfix.
- * Use "521" reply codes (Postfix 2.6 and later) for botnet-related RBLs or
- for selected non-RBL restrictions. With Postfix 2.3-2.5 use "421" for a
- similar result. The Postfix SMTP server will disconnect immediately without
+ * Use "521" SMTP reply codes (Postfix 2.6 and later) or "421" (Postfix 2.3-
+ 2.5) to hang up on clients that that match botnet-related RBLs (see next
+ bullet) or that match selected non-RBL restrictions such as SMTP access
+ maps. The Postfix SMTP server will reject mail and disconnect without
waiting for the remote SMTP client to send a QUIT command.
- You can set individual reject codes for RBLs, and for individual responses
- from a specific RBL. We'll use zen.spamhaus.org as an example; by the time
- you read this document, details may have changed. Right now, their
+ * To hang up connections from blacklisted zombies, you can set specific
+ Postfix SMTP server reject codes for specific RBLs, and for individual
+ responses from specific RBLs. We'll use zen.spamhaus.org as an example; by
+ the time you read this document, details may have changed. Right now, their
documents say that a response of 127.0.0.10 or 127.0.0.11 indicates a
dynamic client IP address, which means that the machine is probably running
a bot of some kind. To give a 521 response instead of the default 554
8 rbl_reply_maps = hash:/etc/postfix/rbl_reply_maps
9
10 /etc/postfix/rbl_reply_maps:
- 11 zen.spamhaus.org=127.0.0.10 521 4.7.1 Service unavailable;
- 12 $rbl_class [$rbl_what] blocked using
- 13 $rbl_domain${rbl_reason?; $rbl_reason}
- 14
- 15 zen.spamhaus.org=127.0.0.11 521 4.7.1 Service unavailable;
- 16 $rbl_class [$rbl_what] blocked using
- 17 $rbl_domain${rbl_reason?; $rbl_reason}
-
- Although the above shows three RBL lookups (lines 4-6), Postfix will still
- only do a single DNS query, so the performance difference is negligible.
-
- With Postfix 2.3-2.5, use 421 (reply code 521 will not cause Postfix to
- disconnect). The down-side of sending 421 is that it works only for zombies
- and other malware. If the client is running a real MTA, then it may connect
- again several times until the mail expires in its queue. When this is a
- problem, stick with the default 554 reply, and use "smtpd_hard_error_limit
- = 1" as described below.
-
- With Postfix 2.5, or with earlier releases that contain the stress-adaptive
- behavior patch, you can turn on the above under overload by replacing line
- 8 with:
+ 11 # With Postfix 2.3-2.5 use "421" to hang up connections.
+ 12 zen.spamhaus.org=127.0.0.10 521 4.7.1 Service unavailable;
+ 13 $rbl_class [$rbl_what] blocked using
+ 14 $rbl_domain${rbl_reason?; $rbl_reason}
+ 15
+ 16 zen.spamhaus.org=127.0.0.11 521 4.7.1 Service unavailable;
+ 17 $rbl_class [$rbl_what] blocked using
+ 18 $rbl_domain${rbl_reason?; $rbl_reason}
+
+ Although the above example shows three RBL lookups (lines 4-6), Postfix
+ will only do a single DNS query, so it does not affect the performance.
+
+ * With Postfix 2.3-2.5, use reply code 421 (521 will not cause Postfix to
+ disconnect). The down-side of replying with 421 is that it works only for
+ zombies and other malware. If the client is running a real MTA, then it may
+ connect again several times until the mail expires in its queue. When this
+ is a problem, stick with the default 554 reply, and use
+ "smtpd_hard_error_limit = 1" as described below.
+
+ * You can automatically turn on the above overload measure with Postfix 2.5
+ and later, or with earlier releases that contain the stress-adaptive
+ behavior source code patch from the mirrors listed at http://
+ www.postfix.org/download.html. Simply replace line above 8 with:
8 rbl_reply_maps = ${stress?hash:/etc/postfix/rbl_reply_maps}
- More information about automatic stress-adaptive behavior is at the end of
- this document.
+More information about automatic stress-adaptive behavior is in section
+"Automatic stress-adaptive behavior".
-T\bTa\bak\bke\be d\bde\bes\bsp\bpe\ber\bra\bat\bte\be m\bme\bea\bas\bsu\bur\bre\bes\bs
+T\bTe\bem\bmp\bpo\bor\bra\bar\bry\by m\bme\bea\bas\bsu\bur\bre\bes\bs f\bfo\bor\br o\bol\bld\bde\ber\br P\bPo\bos\bst\btf\bfi\bix\bx r\bre\bel\ble\bea\bas\bse\bes\bs
-The following measures will still allow m\bmo\bos\bst\bt legitimate clients to connect and
-send mail, but may affect some legitimate clients.
+See the next section, "Automatic stress-adaptive behavior", if you are running
+Postfix version 2.5 or later, or if you have applied the source code patch for
+stress-adaptive behavior from the mirrors listed at http://www.postfix.org/
+download.html.
+
+The following measures can be applied temporarily during overload. They still
+allow m\bmo\bos\bst\bt legitimate clients to connect and send mail, but may affect some
+legitimate clients.
* Reduce smtpd_timeout (default: 300s). Experience on the postfix-users list
from a variety of sysadmins shows that reducing the "normal" smtpd_timeout
longer-active user names that didn't bother to unsubscribe. No mail should
be lost, as long as this measure is used only temporarily.
- * Disable remote SMTP client hostname lookups, so that all SMTP client
- hostnames become "unknown" (line 5 below). This feature was introduced with
- Postfix 2.3. Unfortunately, this measure is more problematic than the other
- ones proposed sofar. First, this will result in loss of mail when you use
- hostname-based access rules that reject mail from "unknown" SMTP clients
- (examples: reject_unknown_client_hostname,
- reject_unknown_reverse_client_hostname). Second, this may result in loss of
- mail when you subject "unknown" SMTP clients to additional restrictions
- such as reject_unverified_sender.
+ * Use an smtpd_junk_command_limit of 1 instead of the default 100. This
+ prevents clients from keeping idle connections open by repeatedly sending
+ NOOP or RSET commands.
1 /etc/postfix/main.cf:
2 smtpd_timeout = 10
3 smtpd_hard_error_limit = 1
- 4 # Caution: line 5 may trigger REJECTs by hostname-based access rules
-
- 5 smtpd_peername_lookup = no
+ 4 smtpd_junk_command_limit = 1
-Except with the last measure, no mail should be lost, as long as these measures
-are used only temporarily. The next section of this document introduces a way
-to automate this process.
+With these measures, no mail should be lost, as long as these measures are used
+only temporarily. The next section of this document introduces a way to
+automate this process.
-M\bMa\bak\bke\be P\bPo\bos\bst\btf\bfi\bix\bx b\bbe\beh\bha\bav\bvi\bio\bor\br s\bst\btr\bre\bes\bss\bs-\b-a\bad\bda\bap\bpt\bti\biv\bve\be
+A\bAu\but\bto\bom\bma\bat\bti\bic\bc s\bst\btr\bre\bes\bss\bs-\b-a\bad\bda\bap\bpt\bti\biv\bve\be b\bbe\beh\bha\bav\bvi\bio\bor\br
Postfix version 2.5 introduces automatic stress-adaptive behavior. This is also
-available as an add-on patch for Postfix versions 2.4 and 2.3 from the mirrors
-listed at http://www.postfix.org/download.html.
+available as a source code patch for Postfix versions 2.4 and 2.3 from the
+mirrors listed at http://www.postfix.org/download.html.
-It works as follows. When a "public" network service runs into an "all server
-ports are busy" condition, the master(8) daemon logs a warning, restarts the
-service (without interrupting existing network sessions), and runs the service
-with "-o stress=yes" on the command line. Normally, it runs a stress-adaptive
-service with "-o stress=" on the command line (i.e. with an empty parameter
-value). Other services never have "-o stress" parameters on the command line,
-including services that listen on a loopback interface only.
+It works as follows. When a "public" network service such as the SMTP server
+runs into an "all server ports are busy" condition, the Postfix master(8)
+daemon logs a warning, restarts the service (without interrupting existing
+network sessions), and runs the service with "-o stress=yes" on the server
+process command line:
-The stress pseudo-parameter value is the key to making main.cf parameter
-settings stress adaptive:
+ 80821 ?? S 0:00.24 smtpd -n smtp -t inet -u -c -o stress=yes
- 1 /etc/postfix/main.cf:
- 2 smtpd_timeout = ${stress?10}${stress:300}
- 3 smtpd_hard_error_limit = ${stress?1}${stress:20}
+Normally, the Postfix master(8) daemon runs such a service with "-o stress=" on
+the command line (i.e. with an empty parameter value):
-Translation:
+ 83326 ?? S 0:00.28 smtpd -n smtp -t inet -u -c -o stress=
- * Line 2: under conditions of stress, use an smtpd_timeout value of 10
- seconds instead of the default 300 seconds,
+Services that have local access only never have "-o stress" parameters on the
+command line. This includes services internal to Postfix such as the queue
+manager, and services that listen on a loopback interface only, such as after-
+filter SMTP services.
- * Line 3: under conditions of stress, use an smtpd_hard_error_limit of 1
- instead of the default 20.
+The "stress" parameter value is the key to making main.cf parameter settings
+stress adaptive. The following settings are the default with Postfix 2.6 and
+later. With earlier Postfix versions that have stress-adaptive support, append
+the lines below to the main.cf file and issue a "postfix reload" command:
+
+ 1 smtpd_timeout = ${stress?10}${stress:300}s
+ 2 smtpd_hard_error_limit = ${stress?1}${stress:20}
+ 3 smtpd_junk_command_limit = ${stress?1}${stress:100}
+
+Translation:
+
+ * Line 1: under conditions of stress, use an smtpd_timeout value of 10
+ seconds instead of the default 300 seconds. Experience on the postfix-users
+ list from a variety of sysadmins shows that reducing the "normal"
+ smtpd_timeout to 60s is unlikely to affect legitimate clients. However, it
+ is unlikely to become the Postfix default because it's not RFC compliant.
+ Setting smtpd_timeout to 10s (line 2 below) or even 5s under stress will
+ still allow most legitimate clients to connect and send mail, but may delay
+ mail from some clients. No mail should be lost, as long as this measure is
+ used only temporarily.
+
+ * Line 2: under conditions of stress, use an smtpd_hard_error_limit of 1
+ instead of the default 20. This helps by disconnecting clients after a
+ single error, giving other clients a chance to connect. However, this may
+ cause significant delays with legitimate mail, such as a mailing list that
+ contains a few no-longer-active user names that didn't bother to
+ unsubscribe. No mail should be lost, as long as this measure is used only
+ temporarily.
+
+ * Line 3: under conditions of stress, use an smtpd_junk_command_limit of 1
+ instead of the default 100. This prevents clients from keeping idle
+ connections open by repeatedly sending NOOP or RSET commands.
The syntax of ${name?value} and ${name:value} is explained at the beginning of
the postconf(5) manual page.
7 -o stress=
8 -o . . .
+O\bOt\bth\bhe\ber\br m\bme\bea\bas\bsu\bur\bre\bes\bs t\bto\bo o\bof\bff\bf-\b-l\blo\boa\bad\bd z\bzo\bom\bmb\bbi\bie\bes\bs
+
+OpenBSD spamd implements a daemon that handles all connections from "new"
+clients. Only well-behaved mail clients are allowed to talk to the mail server.
+Other clients are tarpitted, and will never get a chance to affect mail server
+performance.
+
+At some point in the future, Postfix may come with a simple front-end daemon
+that does basic greylisting and pipelining detection to keep zombies and other
+ratware away from Postfix itself. This would use the "pass" service type which
+has been available in stable Postfix releases since Postfix 2.5.
+
C\bCr\bre\bed\bdi\bit\bts\bs
* Thanks to the postfix-users mailing list members for sharing early
Example:
/etc/postfix/main.cf:
- smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
+ smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache
As of version 2.5, Postfix will no longer maintain this file in a directory
with non-Postfix ownership. As a migration aid, attempts to open such files are
Example:
/etc/postfix/main.cf:
- smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
+ smtp_tls_session_cache_database = btree:/etc/postfix/smtp_scache
As of version 2.5, Postfix will no longer maintain this file in a directory
with non-Postfix ownership. As a migration aid, attempts to open such files are
which certificate is presented. For Netscape and OpenSSL clients without
special cipher choices, the RSA certificate is preferred.
-In order for remote SMTP clients to check the Postfix SMTP server certificates,
-the CA certificate (in case of a certificate chain, all CA certificates) must
-be available. You should add any intermediate CA certificates to the server
-certificate: the server certificate first, then the intermediate CA(s).
+To enable a remote SMTP client to verify the Postfix SMTP server certificate,
+the issuing CA certificates must be made available to the client. You should
+include the required certificates in the server certificate file, the server
+certificate first, then the issuing CA(s) (bottom-up order).
Example: the certificate for "server.example.com" was issued by "intermediate
CA" which itself has a certificate issued by "root CA". Create the server.pem
$smtpd_tls_CApath directory needs to be accessible inside the optional chroot
jail.
-When you configure the Postfix SMTP server to request client certificates, any
-CA certificates in $smtpd_tls_CAfile are sent to the client, in order to allow
-it to choose an identity signed by a CA you trust. If no $smtpd_tls_CAfile is
-specified, no preferred CA list is sent, and the client is free to choose an
-identity signed by any CA. Many clients use a fixed identity regardless of the
-preferred CA list and you may be able to reduce TLS negotiation overhead by
-installing client CA certificates mostly or only in $smtpd_tls_CApath. In the
-latter case you need not specify a $smtpd_tls_CAfile.
+When you configure the Postfix SMTP server to request client certificates, the
+DNs of certificate authorities in $smtpd_tls_CAfile are sent to the client, in
+order to allow it to choose an identity signed by a CA you trust. If no
+$smtpd_tls_CAfile is specified, no preferred CA list is sent, and the client is
+free to choose an identity signed by any CA. Many clients use a fixed identity
+regardless of the preferred CA list and you may be able to reduce TLS
+negotiation overhead by installing client CA certificates mostly or only in
+$smtpd_tls_CApath. In the latter case you need not specify a $smtpd_tls_CAfile.
Note, that unless client certificates are used to allow greater access to TLS
authenticated clients, it is best to not ask for client certificates at all, as
accessible without password. Both parts (certificate and private key) may be in
the same file.
-In order for remote SMTP servers to verify the Postfix SMTP client
-certificates, the CA certificate (in case of a certificate chain, all CA
-certificates) must be available. You should add these certificates to the
-client certificate, the client certificate first, then the issuing CA(s).
+To enable remote SMTP servers to verify the Postfix SMTP client certificate,
+the issuing CA certificates must be made available to the server. You should
+include the required certificates in the client certificate file, the client
+certificate first, then the issuing CA(s) (bottom-up order).
Example: the certificate for "client.example.com" was issued by "intermediate
-CA" which itself has a certificate of "root CA". Create the client.pem file
-with:
+CA" which itself has a certificate issued by "root CA". Create the client.pem
+file with:
% c\bca\bat\bt c\bcl\bli\bie\ben\bnt\bt_\b_c\bce\ber\brt\bt.\b.p\bpe\bem\bm i\bin\bnt\bte\ber\brm\bme\bed\bdi\bia\bat\bte\be_\b_C\bCA\bA.\b.p\bpe\bem\bm >\b> c\bcl\bli\bie\ben\bnt\bt.\b.p\bpe\bem\bm
Adding such headers can break DKIM signatures that cover headers
that are not present.
-This changes the appearance of Postfix logging: some messages will
-no longer log a message-id=<...text...> line.
+This changes the appearance of Postfix logging: to preserve
+compatibility with existing logfile processing software, Postfix
+will log ``message-id=<>'' for messages without Message-Id header.
Major changes with snapshot 20090212
====================================
Wish list:
+ Remove this file from the stable release.
+
"postconf -N" option to print user-defined parameter names
(these have no defaults, since they exist only when
specified in main.cf or with "-o name=value").
Make the "unknown recipient" test configurable as
first|last|never, with "yes"=="last" for backwards
compatibility. The "first" setting is good for performance
- (stress=yes) when all users are defined in local files.
-
- Make the double-bounce address time-dependent (with 24-hour
- grace period). Spammers appear to use this address to avoid
- DATA command rejects. Avoiding DATA rejects means they can
- pipeline the entire SMTP session without triggering huge
- numbers of protocol errors. They can still trigger "improper
- command pipelining after DATA" alarms, but that requires
- non-default main.cf settings.
+ (stress=yes) when all users are defined in local files; but
+ it may perform worse when users are in networked tables.
Cleanup: make DNSBL query format configurable beyond the
client's reversed IP address.
With 'final delivery' in the LMTP client, need an option
- to also add delivered-to and other pipe(8) features.
- This requires making mail_copy() more generic.
-
- To work around historical AWK's limit of 10 open files,
- pipe all output into a shell and have the shell open files.
- It's too much pain to find out whose AWK is old and where
- if any they keep the XPG4 compliant version.
+ to also add delivered-to and other pipe(8) features. This
+ requires making mail_copy() functionality available in
+ non-mailbox context.
Cleanup: modernize the "add missing From: header" code, to
``phrase <addr>'' form. Most likely, quote the entire phrase
Maybe change maps_rbl_reject_code default to 521, and
update wording in STRESS_README.
- reject_unlisted_recipient = (yes | late | early | no) with
- yes===late, for backwards compatibility. Ditto for
- reject_unlisted_sender.
-
- Set a flag when a remote SMTP client speaks before the
- Postfix SMTP server sends the 220 greeting.
-
Encapsulate time_t comparisons so that they can be made
system dependent (use difftime() where available).
is unlikely to break existing configurations. Or perhaps
it's just too ugly.
- Make adding Date/From/Message-ID headers dependent on local
- rewrite context.
-
- Make adding date/from/etc. conditional. Perhaps on header
- rewrite context? Do we need a more powerful concept than
- local_header_rewrite_clients/remote_header_rewrite_domain?
-
Write delivery rate delay example (which _README?) and auth
failure cache example (SASL_README). Then include them in
SOHO_README.
that it makes smtpd_mumble_restrictions available for local
and remote mail; the disadvantage is that it makes local
submissions more dependent on networking. One possibility
- is to use "pickup -o content_filter=smtp:127.0.0.1:10025";
+ is to use "pickup -o content_filter=smtp:127.0.0.1:10025",
+ or a dedicated SMTP client/server on UNIX-domain sockets;
we could also decide to always suppress "mail loop" detection
for loopback connections. Another option is to have the
pickup or cleanup server drive an SMTP client directly;
this would require extension of the mail_stream() interface,
- plus a way to handle bounced/deferred recipients intelligently.
+ plus a way to handle bounced/deferred recipients intelligently,
+ but it would be at odds with Postfix design where delivery
+ agents access queue files directly; exposing delivery agents
+ to raw queue files violates another Postfix design principle.
Consolidate duplicated code in *_server_accept_{pass,inet}().
<h2> Introduction </h2>
<p> Postfix has several hundred configuration parameters that are
-controlled via the main.cf file. Fortunately, all parameters have
+controlled via the <a href="postconf.5.html">main.cf</a> file. Fortunately, all parameters have
sensible default values. In many cases, you need to configure only
two or three parameters before you can start to play with the mail
system. Here's a quick introduction to the syntax: </p>
<h2> <a name="syntax">Postfix configuration files</a></h2>
<p> By default, Postfix configuration files are in /etc/postfix.
-The two most important files are main.cf and master.cf; these files
+The two most important files are <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a>; these files
must be owned by root. Giving someone else write permission to
-main.cf or master.cf (or to their parent directories) means giving
+<a href="postconf.5.html">main.cf</a> or <a href="master.5.html">master.cf</a> (or to their parent directories) means giving
root privileges to that person. </p>
-<p> In /etc/postfix/main.cf you will have to set up a minimal number
+<p> In /etc/postfix/<a href="postconf.5.html">main.cf</a> you will have to set up a minimal number
of configuration parameters. Postfix configuration parameters
resemble shell variables, with two important differences: the first
one is that Postfix does not know about quotes like the UNIX shell
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
parameter = value
</pre>
</blockquote>
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
other_parameter = $parameter
</pre>
</blockquote>
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> = hash:/etc/postfix/virtual
</pre>
</blockquote>
-<p> Whenever you make a change to the main.cf or master.cf file,
+<p> Whenever you make a change to the <a href="postconf.5.html">main.cf</a> or <a href="master.5.html">master.cf</a> file,
execute the following command as root in order to refresh a running
mail system: </p>
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#myorigin">myorigin</a> = $<a href="postconf.5.html#myhostname">myhostname</a> (default: send mail as "user@$<a href="postconf.5.html#myhostname">myhostname</a>")
<a href="postconf.5.html#myorigin">myorigin</a> = $<a href="postconf.5.html#mydomain">mydomain</a> (probably desirable: "user@$<a href="postconf.5.html#mydomain">mydomain</a>")
</pre>
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#mydestination">mydestination</a> = $<a href="postconf.5.html#myhostname">myhostname</a> localhost.$<a href="postconf.5.html#mydomain">mydomain</a> localhost
</pre>
</blockquote>
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#mydestination">mydestination</a> = $<a href="postconf.5.html#myhostname">myhostname</a> localhost.$<a href="postconf.5.html#mydomain">mydomain</a> localhost $<a href="postconf.5.html#mydomain">mydomain</a>
</pre>
</blockquote>
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#mydestination">mydestination</a> = $<a href="postconf.5.html#myhostname">myhostname</a> localhost.$<a href="postconf.5.html#mydomain">mydomain</a> localhost
www.$<a href="postconf.5.html#mydomain">mydomain</a> ftp.$<a href="postconf.5.html#mydomain">mydomain</a>
</pre>
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#mynetworks_style">mynetworks_style</a> = subnet (default: authorize subnetworks)
<a href="postconf.5.html#mynetworks_style">mynetworks_style</a> = host (safe: authorize local machine only)
<a href="postconf.5.html#mynetworks">mynetworks</a> = 127.0.0.0/8 (safe: authorize local machine only)
</pre>
</blockquote>
-<p> You can specify the trusted networks in the main.cf file, or
+<p> You can specify the trusted networks in the <a href="postconf.5.html">main.cf</a> file, or
you can let Postfix do the work for you. The default is to let
Postfix do the work. The result depends on the <a href="postconf.5.html#mynetworks_style">mynetworks_style</a>
parameter value.
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#mynetworks">mynetworks</a> = 168.100.189.0/28, 127.0.0.0/8
</pre>
</blockquote>
<p> You can also specify the absolute pathname of a pattern file instead
-of listing the patterns in the main.cf file. </p>
+of listing the patterns in the <a href="postconf.5.html">main.cf</a> file. </p>
<h2> <a name="relay_to"> What destinations to relay mail to </a> </h2>
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#relay_domains">relay_domains</a> = $<a href="postconf.5.html#mydestination">mydestination</a> (default)
<a href="postconf.5.html#relay_domains">relay_domains</a> = (safe: never forward mail from strangers)
<a href="postconf.5.html#relay_domains">relay_domains</a> = $<a href="postconf.5.html#mydomain">mydomain</a> (forward mail to my domain and subdomains)
office hours, it may be behind a firewall, or it may be connected
via a provider who does not allow direct mail to the Internet. In
those cases you need to configure Postfix to deliver mail indirectly
-via a relay host. </p>
+via a <a href="postconf.5.html#relayhost">relay host</a>. </p>
<p> Examples (specify only one of the following): </p>
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#relayhost">relayhost</a> = (default: direct delivery to Internet)
<a href="postconf.5.html#relayhost">relayhost</a> = $<a href="postconf.5.html#mydomain">mydomain</a> (deliver via local mailhub)
<a href="postconf.5.html#relayhost">relayhost</a> = [mail.$<a href="postconf.5.html#mydomain">mydomain</a>] (deliver via local mailhub)
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#notify_classes">notify_classes</a> = resource, software
</pre>
</blockquote>
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> = 1.2.3.4 (the proxy/NAT external network address)
</pre>
</blockquote>
<h2> <a name="chroot_setup"> Running Postfix daemon processes
chrooted </a> </h2>
-<p> Postfix daemon processes can be configured (via the master.cf
+<p> Postfix daemon processes can be configured (via the <a href="master.5.html">master.cf</a>
file) to run in a chroot jail. The processes run at a fixed low
privilege and with file system access limited to the Postfix queue
directories (/var/spool/postfix). This provides a significant
porcupine.org mail server runs all daemons chrooted that can be
chrooted. </p>
-<p>The default /etc/postfix/master.cf file specifies that no Postfix
+<p>The default /etc/postfix/<a href="master.5.html">master.cf</a> file specifies that no Postfix
daemon runs chrooted. In order to enable chroot operation, edit
-the file /etc/postfix/master.cf, and follow instructions in the
+the file /etc/postfix/<a href="master.5.html">master.cf</a>, and follow instructions in the
file. When you're finished, execute "postfix reload" to make the
change effective. </p>
specify the fully-qualified domain name that the mail system should
use. </p>
-<p> Alternatively, if you specify <a href="postconf.5.html#mydomain">mydomain</a> in main.cf, then Postfix
+<p> Alternatively, if you specify <a href="postconf.5.html#mydomain">mydomain</a> in <a href="postconf.5.html">main.cf</a>, then Postfix
will use its value to generate a fully-qualified default value
for the <a href="postconf.5.html#myhostname">myhostname</a> parameter. </p>
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#myhostname">myhostname</a> = host.local.domain (machine name is not FQDN)
<a href="postconf.5.html#myhostname">myhostname</a> = host.virtual.domain (virtual interface)
<a href="postconf.5.html#myhostname">myhostname</a> = virtual.domain (virtual interface)
by stripping off the first part (unless the result would be a
top-level domain). </p>
-<p> Conversely, if you specify <a href="postconf.5.html#mydomain">mydomain</a> in main.cf, then Postfix
+<p> Conversely, if you specify <a href="postconf.5.html#mydomain">mydomain</a> in <a href="postconf.5.html">main.cf</a>, then Postfix
will use its value to generate a fully-qualified default value
for the <a href="postconf.5.html#myhostname">myhostname</a> parameter. </p>
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#mydomain">mydomain</a> = local.domain
<a href="postconf.5.html#mydomain">mydomain</a> = virtual.domain (virtual interface)
</pre>
as if it is addressed to a domain listed in $<a href="postconf.5.html#mydestination">mydestination</a>.</p>
<p> You can override the <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> setting in the Postfix
-master.cf file by prepending an IP address to a server name. </p>
+<a href="master.5.html">master.cf</a> file by prepending an IP address to a server name. </p>
<p> The default is to listen on all active interfaces. If you run
mailers on virtual interfaces, you will have to specify what
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> = all
</pre>
</blockquote>
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> = virtual.host.tld (virtual Postfix)
<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> = $<a href="postconf.5.html#myhostname">myhostname</a> localhost... (non-virtual Postfix)
</pre>
<h2>Introduction</h2>
<p> Postfix version 2.3 introduces support for Delivery Status
-Notifications as described in <a href="http://www.faqs.org/rfcs/rfc3464.html">RFC 3464</a>. This gives senders control
+Notifications as described in <a href="http://tools.ietf.org/html/rfc3464">RFC 3464</a>. This gives senders control
over successful and failed delivery notifications. </p>
<p> Specifically, DSN support gives an email sender the ability to
<li> <p> The SMTP server now requires that IPv6 addresses in SMTP
commands are specified as [ipv6:<i>ipv6address</i>], as
-described in <a href="http://www.faqs.org/rfcs/rfc2821.html">RFC 2821</a>. </p>
+described in <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a>. </p>
<li> <p> The IPv6 network address matching code was rewritten from
the ground up, and is expected to be closer to the specification.
value ("<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> =") to disable this feature. </p>
<li> <p> Lines 6 and 13-15 redirect mail for postmaster to the
-local postmaster. <a href="http://www.faqs.org/rfcs/rfc821.html">RFC 821</a> requires that every domain has a postmaster
+local postmaster. <a href="http://tools.ietf.org/html/rfc821">RFC 821</a> requires that every domain has a postmaster
address. </p>
</ul>
or handshake failure </td> </tr>
<tr> <td> <a href="postconf.5.html#default_destination_concurrency_negative_feedback">default_destination_concurrency_negative_feedback</a><br>
-<a href="postconf.5.html#transport_destination_concurrency_positive_feedback"><i>transport</i>_destination_concurrency_negative_feedback</a> </td>
+<a href="postconf.5.html#transport_destination_concurrency_negative_feedback"><i>transport</i>_destination_concurrency_negative_feedback</a> </td>
<td align="center"> 2.5<br> 2.5 </td> <td> Per-destination negative
feedback amount, per delivery that fails with connection or handshake
failure </td> </tr>
an empty value ("name="), or sends a zero value ("name=0") in
the case of a numerical attribute. </p>
- <li> <p> The "recipient" attribute is available only in the
- "RCPT TO" stage, and in the "DATA" and "END-OF-MESSAGE" stages
- when Postfix accepted only one recipient for the current message.
- </p>
+ <li> <p> The "recipient" attribute is available in the "RCPT
+ TO" stage. It is also available in the "DATA" and "END-OF-MESSAGE"
+ stages if Postfix accepted only one recipient for the current
+ message. </p>
<li> <p> The "recipient_count" attribute (Postfix 2.3 and later)
is non-zero only in the "DATA" and "END-OF-MESSAGE" stages. It
<h2>Overview </h2>
<p> This document describes the symptoms of Postfix SMTP server
-overload, and how to avoid the condition under normal conditions.
-When the condition is caused by botnets or other malware, the
-document suggests configuration settings that help to minimize the
-impact on legitimate mail. Finally, the document introduces
-stress-adaptive behavior, introduced with Postfix 2.5, and how it
-can be used to automatically switch configuration settings under
-overload. </p>
+overload. It presents permanent <a href="postconf.5.html">main.cf</a> changes to avoid overload
+during normal operation, and temporary <a href="postconf.5.html">main.cf</a> changes to cope with
+an unexpected burst of mail. This document makes specific suggestions
+for Postfix 2.5 and later which support stress-adaptive behavior,
+and for earlier Postfix versions that don't. </p>
<p> Topics covered in this document: </p>
<li><a href="#hangup"> Disconnect suspicious SMTP clients </a>
-<li><a href="#desperate"> Take desperate measures </a>
+<li><a href="#legacy"> Temporary measures for older Postfix releases </a>
-<li><a href="#adapt"> Make Postfix behavior stress-adaptive </a>
+<li><a href="#adapt"> Automatic stress-adaptive behavior </a>
<li><a href="#feature"> Detecting support for stress-adaptive behavior </a>
<li><a href="#forcing"> Forcing stress-adaptive behavior on or off </a>
+<li><a href="#other"> Other measures to off-load zombies </a>
+
<li><a href="#credits"> Credits </a>
</ul>
<h2><a name="overload"> Symptoms of Postfix SMTP server overload </a></h2>
-<p> Under normal conditions, Postfix responds immediately when a
-remote SMTP client connects. The time needed to deliver mail should
-be noticeable only with very large messages. Performance degrades
-more dramatically when the number of remote SMTP clients exceeds
-the number of Postfix SMTP server processes. When a client connects
-while all server processes are busy, the client must wait until a
-server process becomes available. </p>
+<p> Under normal conditions, the Postfix SMTP server responds
+immediately when an SMTP client connects to it; the time to deliver
+mail is noticeable only with large messages. Performance degrades
+dramatically when the number of SMTP clients exceeds the number of
+Postfix SMTP server processes. When an SMTP client connects while
+all Postfix SMTP server processes are busy, the client must wait
+until a server process becomes available. </p>
+
+<p> SMTP server overload may be caused by a surge of legitimate
+mail (example: a DNS registrar opens a new zone for registrations),
+by mistake (mail explosion caused by a forwarding loop) or by malice
+(worm outbreak, botnet, or other illegitimate activity). </p>
-<p> Overload may be caused by a legitimate mail (example: a DNS
-registrar opens a new zone for registrations), by mistake (mail
-explosion caused by a forwarding loop) or by illegitimate mail (worm
-outbreak, botnet, or other malware activity). Symptoms of Postfix
-SMTP mail server overload are: </p>
+<p> Symptoms of Postfix SMTP server overload are: </p>
<ul>
<li> <p> Remote SMTP clients experience a long delay before Postfix
-sends the "220 hostname.example.com ESMTP Postfix" greeting. If
-this affects end-user mail clients, enable the "submission" service
-entry in <a href="master.5.html">master.cf</a> (present since Postfix 2.1), and tell users to
-connect to this instead of the public SMTP service. </p>
+sends the "220 hostname.example.com ESMTP Postfix" greeting. </p>
<ul>
-<li> <p> NOTE: Broken DNS configurations also cause lengthy delays
-before Postfix sends "220 hostname.example.com ...". In this case
-the delay happens even when Postfix is not busy. </p>
+<li> <p> NOTE: Broken DNS configurations can also cause lengthy
+delays before Postfix sends "220 hostname.example.com ...". These
+delays also exist when Postfix is NOT overloaded. </p>
+
+<li> <p> NOTE: To avoid "overload" delays for end-user mail
+clients, enable the "submission" service entry in <a href="master.5.html">master.cf</a> (present
+since Postfix 2.1), and tell users to connect to this instead of
+the public SMTP service. </p>
</ul>
<ul>
-<li> <p> NOTE: A portscan for open SMTP ports also results in "lost
-connection ..." logfile messages. </p>
+<li> <p> NOTE: A portscan for open SMTP ports can also result in
+"lost connection ..." logfile messages. </p>
</ul>
</ul>
<p> Legitimate mail that doesn't get through during an episode of
-overload is not necessarily lost. It should still arrive once the
-situation returns to normal, as long as the overload condition is
-temporary. </p>
+Postfix SMTP server overload is not necessarily lost. It should
+still arrive once the situation returns to normal, as long as the
+overload condition is temporary. </p>
<h2><a name="concurrency"> Service more SMTP clients at the same time </a> </h2>
-<p> To service more SMTP clients simultaneously, you need to increase
-the number of SMTP server processes. This will improve the
+<p> One measure to avoid the "all server processes busy" condition
+is to service more SMTP clients simultaneously. For this you need
+to increase the number of Postfix SMTP server processes. This will
+improve the
responsiveness for remote SMTP clients, as long as the server machine
has enough hardware and software resources to run the additional
processes, and as long as the file system can keep up with the
filters (BSD kqueue(2), Linux epoll(4), or Solaris /dev/poll).
</p>
-<li> <p> You can reduce the Postfix memory footprint by using <a href="CDB_README.html">cdb</a>:
+<li> <p> More processes use more memory. You can reduce the Postfix
+memory footprint by using <a href="CDB_README.html">cdb</a>:
lookup tables instead of Berkeley DB's hash: or btree: tables. </p>
<pre>
<p> When increasing the number of SMTP server processes is not
practical, you can improve Postfix server responsiveness by eliminating
-unnecessary work. When Postfix spends less time per SMTP session, the
-same number of SMTP server processes can service more clients in the
-same amount of time. </p>
+delays. When Postfix spends less time per SMTP session, the same
+number of SMTP server processes can service more clients in a given
+amount of time. </p>
<ul>
mail. See <a href="BACKSCATTER_README.html">BACKSCATTER_README</a> for examples of the latter.
<li> <p> Group your <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a> patterns to avoid
-unnecessary pattern matching operations.
+unnecessary pattern matching operations:
<pre>
1 /etc/postfix/header_checks:
2 if /^Subject:/
3 /^Subject: virus found in mail from you/ reject
- 4 /^Subject: ..../ ....
+ 4 /^Subject: ..other../ reject
5 endif
6
7 if /^Received:/
8 /^Received: from (postfix\.org) / reject forged client name in received header: $1
- 9 /^Received: from .../ ....
+ 9 /^Received: from ..other../ reject ....
10 endif
</pre>
<ul>
-<li> <p> Use "521" reply codes (Postfix 2.6 and later) for
-botnet-related RBLs or for selected non-RBL restrictions. With
-Postfix 2.3-2.5 use "421" for a similar result. The Postfix SMTP
-server will disconnect immediately without waiting for the remote
-SMTP client to send a QUIT command. </p>
-
-<p> You can set individual reject codes for RBLs, and for individual
-responses from a specific RBL. We'll use zen.spamhaus.org as an
-example; by the time you read this document, details may have
-changed. Right now, their documents say that a response of 127.0.0.10
-or 127.0.0.11 indicates a dynamic client IP address, which means
-that the machine is probably running a bot of some kind. To give
-a 521 response instead of the default 554 response, use something
-like: </p>
+<li> <p> Use "521" SMTP reply codes (Postfix 2.6 and later) or "421"
+(Postfix 2.3-2.5) to hang up on clients that that match botnet-related
+RBLs (see next bullet) or that match selected non-RBL restrictions
+such as SMTP access maps. The Postfix SMTP server will reject mail
+and disconnect without waiting for the remote SMTP client to send
+a QUIT command. </p>
+
+<li> <p> To hang up connections from blacklisted zombies, you can
+set specific Postfix SMTP server reject codes for specific RBLs,
+and for individual responses from specific RBLs. We'll use
+zen.spamhaus.org as an example; by the time you read this document,
+details may have changed. Right now, their documents say that a
+response of 127.0.0.10 or 127.0.0.11 indicates a dynamic client IP
+address, which means that the machine is probably running a bot of
+some kind. To give a 521 response instead of the default 554
+response, use something like: </p>
<pre>
1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
8 <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> = hash:/etc/postfix/rbl_reply_maps
9
10 /etc/postfix/rbl_reply_maps:
-11 zen.spamhaus.org=127.0.0.10 521 4.7.1 Service unavailable;
-12 $rbl_class [$rbl_what] blocked using
-13 $rbl_domain${rbl_reason?; $rbl_reason}
-14
-15 zen.spamhaus.org=127.0.0.11 521 4.7.1 Service unavailable;
-16 $rbl_class [$rbl_what] blocked using
-17 $rbl_domain${rbl_reason?; $rbl_reason}
+11 # With Postfix 2.3-2.5 use "421" to hang up connections.
+12 zen.spamhaus.org=127.0.0.10 521 4.7.1 Service unavailable;
+13 $rbl_class [$rbl_what] blocked using
+14 $rbl_domain${rbl_reason?; $rbl_reason}
+15
+16 zen.spamhaus.org=127.0.0.11 521 4.7.1 Service unavailable;
+17 $rbl_class [$rbl_what] blocked using
+18 $rbl_domain${rbl_reason?; $rbl_reason}
</pre>
-<p> Although the above shows three RBL lookups (lines 4-6), Postfix
-will still only do a single DNS query, so the performance difference
-is negligible. </p>
+<p> Although the above example shows three RBL lookups (lines 4-6),
+Postfix will only do a single DNS query, so it does not affect the
+performance. </p>
-<p> With Postfix 2.3-2.5, use 421 (reply code 521 will not cause
-Postfix to disconnect). The down-side of sending 421 is that
-it works only for zombies and other malware. If the client is running
-a real MTA, then it may connect again several times until the mail
-expires in its queue. When this is a problem, stick with the default
-554 reply, and use "<a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> = 1" as described below.
-</p>
+<li> <p> With Postfix 2.3-2.5, use reply code 421 (521 will not
+cause Postfix to disconnect). The down-side of replying with 421
+is that it works only for zombies and other malware. If the client
+is running a real MTA, then it may connect again several times until
+the mail expires in its queue. When this is a problem, stick with
+the default 554 reply, and use "<a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> = 1" as
+described below. </p>
-<p> With Postfix 2.5, or with earlier releases that contain the
-stress-adaptive behavior patch, you can turn on the above under
-overload by replacing line 8 with: </p>
+<li> <p> You can automatically turn on the above overload measure
+with Postfix 2.5 and later, or with earlier releases that contain
+the stress-adaptive behavior source code patch from the mirrors
+listed at <a href="http://www.postfix.org/download.html">http://www.postfix.org/download.html</a>. Simply replace line
+above 8 with: </p>
<pre>
8 <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> = ${stress?hash:/etc/postfix/rbl_reply_maps}
</pre>
+</ul>
+
<p> More information about automatic stress-adaptive behavior is
-at the end of this document. </p>
+in section "<a href="#adapt">Automatic stress-adaptive behavior</a>".
+</p>
-</ul>
+<h2><a name="legacy"> Temporary measures for older Postfix releases </a></h2>
-<h2><a name="desperate"> Take desperate measures </a></h2>
+<p> See the next section, "<a href="#adapt">Automatic stress-adaptive
+behavior</a>", if you are running Postfix version 2.5 or later, or
+if you have applied the source code patch for stress-adaptive
+behavior from the mirrors listed at <a href="http://www.postfix.org/download.html">http://www.postfix.org/download.html</a>.
+</p>
-<p> The following measures will still allow <b>most</b> legitimate
-clients to connect and send mail, but may affect some legitimate
-clients. </p>
+<p> The following measures can be applied temporarily during overload.
+They still allow <b>most</b> legitimate clients to connect and send
+mail, but may affect some legitimate clients. </p>
<ul>
names that didn't bother to unsubscribe. No mail should be lost,
as long as this measure is used only temporarily. </p>
-<li> <p> Disable remote SMTP client hostname lookups, so that all
-SMTP client hostnames become "unknown" (line 5 below). This feature
-was introduced with Postfix 2.3. Unfortunately, this measure is
-more problematic than the other ones proposed sofar. First, this
-will result in loss of mail when you use hostname-based access rules
-that reject mail from "unknown" SMTP clients (examples:
-<a href="postconf.5.html#reject_unknown_client_hostname">reject_unknown_client_hostname</a>, <a href="postconf.5.html#reject_unknown_reverse_client_hostname">reject_unknown_reverse_client_hostname</a>).
-Second, this may result in loss of mail when you subject "unknown"
-SMTP clients to additional restrictions such as <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a>.
-</p>
+<li> <p> Use an <a href="postconf.5.html#smtpd_junk_command_limit">smtpd_junk_command_limit</a> of 1 instead of the default
+100. This prevents clients from keeping idle connections open by
+repeatedly sending NOOP or RSET commands. </p>
</ul>
1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
2 <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> = 10
3 <a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> = 1
-4 # Caution: line 5 may trigger REJECTs by hostname-based access rules
-5 <a href="postconf.5.html#smtpd_peername_lookup">smtpd_peername_lookup</a> = no
+4 <a href="postconf.5.html#smtpd_junk_command_limit">smtpd_junk_command_limit</a> = 1
</pre>
</blockquote>
-<p> Except with the last measure, no mail should be lost, as long
+<p> With these measures, no mail should be lost, as long
as these measures are used only temporarily. The next section of
this document introduces a way to automate this process. </p>
-<h2><a name="adapt"> Make Postfix behavior stress-adaptive </a></h2>
+<h2><a name="adapt"> Automatic stress-adaptive behavior </a></h2>
<p> Postfix version 2.5 introduces automatic stress-adaptive behavior.
-This is also available as an add-on patch for Postfix versions 2.4
-and 2.3 from the mirrors listed at <a href="http://www.postfix.org/download.html">http://www.postfix.org/download.html</a>.
+This is also available as a source code patch for Postfix versions
+2.4 and 2.3 from the mirrors listed at
+<a href="http://www.postfix.org/download.html">http://www.postfix.org/download.html</a>. </p>
+
+<p> It works as follows. When a "public" network service such as
+the SMTP server runs into an "all server ports are busy" condition,
+the Postfix <a href="master.8.html">master(8)</a> daemon logs a warning, restarts the service
+(without interrupting existing network sessions), and runs the
+service with "-o stress=yes" on the server process command line:
</p>
-<p> It works as follows. When a "public" network service runs into
-an "all server ports are busy" condition, the <a href="master.8.html">master(8)</a> daemon logs
-a warning, restarts the service (without interrupting existing
-network sessions), and runs the service with "-o stress=yes" on the
-command line. Normally, it runs a stress-adaptive service with "-o
-stress=" on the command line (i.e. with an empty parameter value).
-Other services never have "-o stress" parameters on the command
-line, including services that listen on a loopback interface only.
-</p>
+<blockquote>
+<pre>
+80821 ?? S 0:00.24 smtpd -n smtp -t inet -u -c -o stress=yes
+</pre>
+</blockquote>
-<p> The stress pseudo-parameter value is the key to making <a href="postconf.5.html">main.cf</a>
-parameter settings stress adaptive: </p>
+<p> Normally, the Postfix <a href="master.8.html">master(8)</a> daemon runs such a service with
+"-o stress=" on the command line (i.e. with an empty parameter
+value): </p>
<blockquote>
<pre>
-1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
-2 <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> = ${stress?10}${stress:300}
-3 <a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> = ${stress?1}${stress:20}
+83326 ?? S 0:00.28 smtpd -n smtp -t inet -u -c -o stress=
+</pre>
+</blockquote>
+
+<p> Services that have local access only never have "-o stress"
+parameters on the command line. This includes services internal to
+Postfix such as the queue manager, and services that listen on a
+loopback interface only, such as after-filter SMTP services. </p>
+
+<p> The "stress" parameter value is the key to making <a href="postconf.5.html">main.cf</a>
+parameter settings stress adaptive. The following settings are the
+default with Postfix 2.6 and later. With earlier Postfix versions
+that have stress-adaptive support, append the lines below to the
+<a href="postconf.5.html">main.cf</a> file and issue a "postfix reload" command: </p>
+
+<blockquote>
+<pre>
+1 <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> = ${stress?10}${stress:300}s
+2 <a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> = ${stress?1}${stress:20}
+3 <a href="postconf.5.html#smtpd_junk_command_limit">smtpd_junk_command_limit</a> = ${stress?1}${stress:100}
</pre>
</blockquote>
<ul>
-<li> <p> Line 2: under conditions of stress, use an <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a>
-value of 10 seconds instead of the default 300 seconds,
+<li> <p> Line 1: under conditions of stress, use an <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a>
+value of 10 seconds instead of the default 300 seconds. Experience
+on the postfix-users list from a variety of sysadmins shows that
+reducing the "normal" <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> to 60s is unlikely to affect
+legitimate clients. However, it is unlikely to become the Postfix
+default because it's not RFC compliant. Setting <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> to
+10s (line 2 below) or even 5s under stress will still allow most
+legitimate clients to connect and send mail, but may delay mail
+from some clients. No mail should be lost, as long as this measure
+is used only temporarily. </p>
-<li> <p> Line 3: under conditions of stress, use an <a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a>
-of 1 instead of the default 20. </p>
+<li> <p> Line 2: under conditions of stress, use an <a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a>
+of 1 instead of the default 20. This helps by disconnecting clients
+after a single error, giving other clients a chance to connect.
+However, this may cause significant delays with legitimate mail,
+such as a mailing list that contains a few no-longer-active user
+names that didn't bother to unsubscribe. No mail should be lost,
+as long as this measure is used only temporarily. </p>
+
+<li> <p> Line 3: under conditions of stress, use an
+<a href="postconf.5.html#smtpd_junk_command_limit">smtpd_junk_command_limit</a> of 1 instead of the default 100. This
+prevents clients from keeping idle connections open by repeatedly
+sending NOOP or RSET commands. </p>
</ul>
</pre>
</blockquote>
+<h2><a name="other"> Other measures to off-load zombies </h2>
+
+<p> OpenBSD <a href="http://www.openbsd.org/spamd/">spamd</a>
+implements a daemon that handles all connections from "new" clients.
+Only well-behaved mail clients are allowed to talk to the mail
+server. Other clients are tarpitted, and will never get a chance
+to affect mail server performance. </p>
+
+<p> At some point in the future, Postfix may come with a simple
+front-end daemon that does basic greylisting and pipelining detection
+to keep zombies and other ratware away from Postfix itself. This
+would use the "pass" service type which has been available in
+stable Postfix releases since Postfix 2.5. </p>
+
<h2><a name="credits"> Credits </a></h2>
<ul>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
- <a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> = btree:/var/lib/postfix/smtpd_scache
+ <a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> = btree:/etc/postfix/smtpd_scache
</pre>
</blockquote>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
- <a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> = btree:/var/lib/postfix/smtp_scache
+ <a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> = btree:/etc/postfix/smtp_scache
</pre>
</blockquote>
clients without special cipher choices, the RSA certificate is
preferred. </p>
-<p> In order for remote SMTP clients to check the Postfix SMTP
-server certificates, the CA certificate (in case of a certificate
-chain, all CA certificates) must be available. You should add any
-intermediate CA certificates to the server certificate: the server
-certificate first, then the intermediate CA(s). </p>
+<p> To enable a remote SMTP client to verify the Postfix SMTP server
+certificate, the issuing CA certificates must be made available to the
+client. You should include the required certificates in the server
+certificate file, the server certificate first, then the issuing
+CA(s) (bottom-up order). </p>
<p> Example: the certificate for "server.example.com" was issued by
"intermediate CA" which itself has a certificate issued by "root
accessible inside the optional chroot jail. </p>
<p> When you configure the Postfix SMTP server to request <a
-href="#server_vrfy_client">client certificates</a>, any CA certificates
-in $<a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> are sent to the client, in order to allow it to
-choose an identity signed by a CA you trust. If no $<a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a>
+href="#server_vrfy_client">client certificates</a>, the DNs of certificate
+authorities in $<a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> are sent to the client, in order to allow
+
it to choose an identity signed by a CA you trust. If no $<a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a>
is specified, no preferred CA list is sent, and the client is free to
choose an identity signed by any CA. Many clients use a fixed identity
regardless of the preferred CA list and you may be able to reduce TLS
password. Both parts (certificate and private key) may be in the
same file. </p>
-<p> In order for remote SMTP servers to verify the Postfix SMTP
-client certificates, the CA certificate (in case of a certificate
-chain, all CA certificates) must be available. You should add
-these certificates to the client certificate, the client certificate
-first, then the issuing CA(s). </p>
+<p> To enable remote SMTP servers to verify the Postfix SMTP client
+certificate, the issuing CA certificates must be made available to the
+server. You should include the required certificates in the client
+certificate file, the client certificate first, then the issuing
+CA(s) (bottom-up order). </p>
<p> Example: the certificate for "client.example.com" was issued by
-"intermediate CA" which itself has a certificate of "root CA".
+"intermediate CA" which itself has a certificate issued by "root CA".
Create the client.pem file with: </p>
<blockquote>
via UUCP: </p>
<pre>
-/etc/postfix/master.cf:
+/etc/postfix/<a href="master.5.html">master.cf</a>:
uucp unix - n n - - pipe
flags=F user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
</pre>
<li> <p> Enable <b>transport</b> table lookups: </p>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#transport_maps">transport_maps</a> = hash:/etc/postfix/transport
</pre>
is willing to relay mail for. </p>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#relay_domains">relay_domains</a> = example.com ...<i>other <a href="ADDRESS_CLASS_README.html#relay_domain_class">relay domains</a></i>...
</pre>
mail transport to your UUCP gateway host, say, <i>uucp-gateway</i>: </p>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#relayhost">relayhost</a> = uucp-gateway
<a href="postconf.5.html#default_transport">default_transport</a> = uucp
</pre>
<p> Postfix 2.0 and later also allows the following more succinct form: </p>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#default_transport">default_transport</a> = uucp:uucp-gateway
</pre>
delivery via UUCP: </p>
<pre>
-/etc/postfix/master.cf:
+/etc/postfix/<a href="master.5.html">master.cf</a>:
uucp unix - n n - - pipe
flags=F user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
</pre>
</pre>
</blockquote>
-<p> The first form uses the default main.cf VERP delimiter characters.
+<p> The first form uses the default <a href="postconf.5.html">main.cf</a> VERP delimiter characters.
The second form allows you to explicitly specify the VERP delimiter
characters. The example shows the recommended values. </p>
<blockquote>
<pre>
-/etc/postfix/main.cf:
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> = +
<a href="postconf.5.html#forward_path">forward_path</a> = $home/.forward${<a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a>}${extension},
$home/.forward
</pre>
</blockquote>
-<p> The first form uses the default main.cf VERP delimiters, the
+<p> The first form uses the default <a href="postconf.5.html">main.cf</a> VERP delimiters, the
second form overrides them explicitly. The values shown are the
recommended ones. </p>
</pre>
</blockquote>
-<p> The first form uses the default main.cf VERP delimiters, the
+<p> The first form uses the default <a href="postconf.5.html">main.cf</a> VERP delimiters, the
second form overrides them explicitly. The values shown are the
recommended ones. </p>
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
- <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
+ <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the
process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
- <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
+ <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the
process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b><a href="postconf.5.html#always_add_missing_headers">always_add_missing_headers</a> (no)</b>
Always add (Resent-) From:, To:, Date: or Message-
- ID headers when not present.
+ ID: headers when not present.
<b>BUILT-IN CONTENT FILTERING CONTROLS</b>
Postfix built-in content filtering is meant to stop a
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
- <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
+ <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the
process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
- <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
+ <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the
process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
- <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
+ <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the
process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
- <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
+ <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the
process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<li> <a href="IPV6_README.html"> IP Version 6 Support </a>
+<li> <a href="MULTI_INSTANCE_README.html"> Multiple-instance management </a>
+
<li> <a href="INSTALL.html"> Installation from source code </a>
</ul>
shake procedures.
<b><a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> (empty)</b>
- The file with the certificate of the certification
- authority (CA) that issued the Postfix SMTP client
- certificate.
+ A file containing CA certificates of root CAs
+ trusted to sign either remote SMTP server certifi-
+ cates or intermediate CA certificates.
<b><a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> (empty)</b>
Directory with PEM format certificate authority
The hostname to send in the SMTP EHLO or HELO com-
mand.
- <b><a href="postconf.5.html#lmtp_lhloname">lmtp_lhlo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
+ <b><a href="postconf.5.html#lmtp_lhlo
_name">lmtp_lhlo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
The hostname to send in the LMTP LHLO command.
<b><a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a> (dns)</b>
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
- <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
+ <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the
process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
- <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
+ <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the
process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
negative feedback, after a delivery completes with
a connection or handshake failure.
- <b><a href="postconf.5.html#transport_destination_concurrency_positive_feedback"><i>transport</i>_destination_concurrency_negative_feedback</a></b>
+ <b><a href="postconf.5.html#transport_destination_concurrency_negative_feedback"><i>transport</i>_destination_concurrency_negative_feedback</a></b>
<b>($<a href="postconf.5.html#default_destination_concurrency_negative_feedback">default_destination_concurrency_negative_feedback</a>)</b>
Idem, for delivery via the named message <i>transport</i>.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
- <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
+ <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the
process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
- <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
+ <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the
process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
- <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
+ <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the
process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
- <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
+ <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the
process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<pre>
<a href="postconf.5.html#debug_peer_list">debug_peer_list</a> = 127.0.0.1
-<a href="postconf.5.html#debug_peer_list">debug_peer_list</a> = some.domain
+<a href="postconf.5.html#debug_peer_list">debug_peer_list</a> = example.com
</pre>
<p> A pseudo-cohort is the number of deliveries equal to a destination's
delivery concurrency. </p>
-<p> Use <a href="postconf.5.html#transport_destination_concurrency_positive_feedback"><i>transport</i>_destination_concurrency_negative_feedback</a>
+<p> Use <a href="postconf.5.html#transport_destination_concurrency_negative_feedback"><i>transport</i>_destination_concurrency_negative_feedback</a>
to specify a transport-specific override, where <i>transport</i>
is the <a href="master.5.html">master.cf</a>
name of the message delivery transport. </p>
connection the connection is reused.
</p>
+<p> This parameter is available in Postfix version 2.2 and earlier.
+With Postfix version 2.3 and later, see <a href="postconf.5.html#lmtp_connection_cache_on_demand">lmtp_connection_cache_on_demand</a>,
+<a href="postconf.5.html#lmtp_connection_cache_destinations">lmtp_connection_cache_destinations</a>, or <a href="postconf.5.html#lmtp_connection_reuse_time_limit">lmtp_connection_reuse_time_limit</a>.
+</p>
+
<p>
The effectiveness of cached connections will be determined by the
number of LMTP servers in use, and the concurrency limit specified
<blockquote>
<pre>
/etc/postfix/<a href="master.5.html">master.cf</a>:
- mylmtp ... lmtp -o <a href="postconf.5.html#lmtp_lhloname">lmtp_lhlo_name</a>=foo.bar.com
+ mylmtp ... lmtp -o <a href="postconf.5.html#lmtp_lhlo_name">lmtp_lhlo_name</a>=foo.bar.com
</pre>
</blockquote>
</p>
<pre>
-<a href="postconf.5.html#myhostname">myhostname</a> = host.domain.tld
+<a href="postconf.5.html#myhostname">myhostname</a> = host.example.com
</pre>
<pre>
<a href="postconf.5.html#relayhost">relayhost</a> = $<a href="postconf.5.html#mydomain">mydomain</a>
-<a href="postconf.5.html#relayhost">relayhost</a> = [gateway.my.domain]
+<a href="postconf.5.html#relayhost">relayhost</a> = [gateway.example.com]
<a href="postconf.5.html#relayhost">relayhost</a> = uucphost
<a href="postconf.5.html#relayhost">relayhost</a> = [an.ip.add.ress]
</pre>
<DT><b><a name="smtp_tls_CAfile">smtp_tls_CAfile</a>
(default: empty)</b></DT><DD>
-<p> The file with the certificate of the certification authority
-(CA) that issued the Postfix SMTP client certificate. This is
-needed only when the CA certificate is not already present in the
-client certificate file. </p>
+<p> A file containing CA certificates of root CAs trusted to sign
+either remote SMTP server certificates or intermediate CA certificates.
+These are loaded into memory before the <a href="smtp.8.html">smtp(8)</a> client enters the
+chroot jail. If the number of trusted roots is large, consider using
+<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> instead, but note that the latter directory must be
+present in the chroot jail if the <a href="smtp.8.html">smtp(8)</a> client is chrooted. This
+file may also be used to augment the client certificate trust chain,
+but it is best to include all the required certificates directly in
+$<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>. </p>
<p> Example: </p>
<p> The best way to use the default settings is to comment out the above
parameters in <a href="postconf.5.html">main.cf</a> if present. </p>
-<p> In order to verify certificates, the CA certificate (in case
-of a certificate chain, all CA certificates) must be available.
-You should add these certificates to the client certificate, the
-client certificate first, then the issuing CA(s). </p>
+<p> To enable remote SMTP servers to verify the Postfix SMTP client
+certificate, the issuing CA certificates must be made available to the
+server. You should include the required certificates in the client
+certificate file, the client certificate first, then the issuing
+CA(s) (bottom-up order). </p>
-<p> Example: the certificate for "client.dom.ain" was issued by
-"intermediate CA" which itself has a certificate of "root CA".
+<p> Example: the certificate for "client.example.com" was issued by
+"intermediate CA" which itself has a certificate issued by "root CA".
Create the client.pem file with "cat client_cert.pem intermediate_CA.pem
root_CA.pem > client.pem". </p>
<DT><b><a name="smtpd_tls_CAfile">smtpd_tls_CAfile</a>
(default: empty)</b></DT><DD>
-<p> The file with the certificate of the certification authority
-(CA) that issued the Postfix SMTP server certificate. This is
-needed only when the CA certificate is not already present in the
-server certificate file. This file may also contain the CA
-certificates of other trusted CAs. You must use this file for the
-list of trusted CAs if you want to use chroot-mode. </p>
+<p> A file containing (PEM format) CA certificates of root CAs trusted
+to sign either remote SMTP client certificates or intermediate CA
+certificates. These are loaded into memory before the <a href="smtpd.8.html">smtpd(8)</a> server
+enters the chroot jail. If the number of trusted roots is large, consider
+using <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> instead, but note that the latter directory must
+be present in the chroot jail if the <a href="smtpd.8.html">smtpd(8)</a> server is chrooted. This
+file may also be used to augment the server certificate trust chain,
+but it is best to include all the required certificates directly in the
+server certificate file. </p>
+
+<p> By default (see <a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>), client certificates are not
+requested, and <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> should remain empty. If you do make use
+of client certificates, the distinguished names (DNs) of the certificate
+authorities listed in <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> are sent to the remote SMTP client
+in the client certificate request message. MUAs with multiple client
+certificates may use the list of preferred certificate authorities
+to select the correct client certificate. You may want to put your
+"preferred" CA or CAs in this file, and install other trusted CAs in
+$<a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a>. </p>
<p> Example: </p>
<DT><b><a name="smtpd_tls_CApath">smtpd_tls_CApath</a>
(default: empty)</b></DT><DD>
-<p> Directory with PEM format certificate authority certificates
-that the Postfix SMTP server offers to remote SMTP clients for the
-purpose of client certificate verification. Do not forget to create
-the necessary "hash" links with, for example, "$OPENSSL_HOME/bin/c_rehash
-/etc/postfix/certs". </p>
+<p> A directory containing (PEM format) CA certificates of root CAs
+trusted to sign either remote SMTP client certificates or intermediate CA
+certificates. Do not forget to create the necessary "hash" links with,
+for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". To use
+<a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> in chroot mode, this directory (or a copy) must be
+inside the chroot jail. </p>
-<p> To use this option in chroot mode, this directory (or a copy)
-must be inside the chroot jail. Please note that in this case the
-CA certificates are not offered to the client, so that e.g. Netscape
-clients might not offer certificates issued by them. Use of this
-feature is therefore not recommended. </p>
+<p> By default (see <a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>), client certificates are
+not requested, and <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> should remain empty. In contrast
+to <a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a>, DNs of certificate authorities installed
+in $<a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> are not included in the client certificate
+request message. MUAs with multiple client certificates may use the
+list of preferred certificate authorities to select the correct
+client certificate. You may want to put your "preferred" CA or
+CAs in $<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a>, and install the remaining trusted CAs in
+$<a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a>. </p>
<p> Example: </p>
presented to the client. For Netscape and OpenSSL clients without
special cipher choices the RSA certificate is preferred. </p>
-<p> In order to verify a certificate, the CA certificate (in case
-of a certificate chain, all CA certificates) must be available.
-You should add these certificates to the server certificate, the
-server certificate first, then the issuing CA(s). </p>
+<p> To enable a remote SMTP client to verify the Postfix SMTP server
+certificate, the issuing CA certificates must be made available to the
+client. You should include the required certificates in the server
+certificate file, the server certificate first, then the issuing
+CA(s) (bottom-up order). </p>
-<p> Example: the certificate for "server.dom.ain" was issued by
+<p> Example: the certificate for "server.example.com" was issued by
"intermediate CA" which itself has a certificate of "root CA".
Create the server.pem file with "cat server_cert.pem intermediate_CA.pem
root_CA.pem > server.pem". </p>
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
- <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
+ <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the
process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
- <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
+ <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the
process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
- <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
+ <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the
process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b>New or existing instance name assignment</b>
<b>-I</b> <i>name</i>
Assign the specified instance <i>name</i> to an existing
- instance or to a newly created or imported
- instance. Instance names other than "-" (which
+ instance, newly-created instance, or imported
+ instance. Instance names other than "-" (which
makes the instance "nameless") must start with
"postfix-". This restriction reduces the likeli-
hood of name collisions with system files.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
- <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
+ <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the
process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
- <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
+ <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the
process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
negative feedback, after a delivery completes with
a connection or handshake failure.
- <b><a href="postconf.5.html#transport_destination_concurrency_positive_feedback"><i>transport</i>_destination_concurrency_negative_feedback</a></b>
+ <b><a href="postconf.5.html#transport_destination_concurrency_negative_feedback"><i>transport</i>_destination_concurrency_negative_feedback</a></b>
<b>($<a href="postconf.5.html#default_destination_concurrency_negative_feedback">default_destination_concurrency_negative_feedback</a>)</b>
Idem, for delivery via the named message <i>transport</i>.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
- <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
+ <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the
process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
What clients are allowed to connect to the QMQP
server port.
- <b>qmqpd_client_port_logging (no)</b>
- Enable logging of the remote QMQP client port in
- addition to the hostname and IP address.
-
<b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
- The location of the Postfix top-level queue direc-
+ The location of the Postfix top-level queue direc-
tory.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
- <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b><a href="postconf.5.html#verp_delimiter_filter">verp_delimiter_filter</a> (-=+)</b>
- The characters Postfix accepts as VERP delimiter
- characters on the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command line
+ The characters Postfix accepts as VERP delimiter
+ characters on the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command line
and in SMTP commands.
+ Available in Postfix version 2.5 and later:
+
+ <b><a href="postconf.5.html#qmqpd_client_port_logging">qmqpd_client_port_logging</a> (no)</b>
+ Enable logging of the remote QMQP client port in
+ addition to the hostname and IP address.
+
<b>SEE ALSO</b>
<a href="http://cr.yp.to/proto/qmqp.html">http://cr.yp.to/proto/qmqp.html</a>, QMQP protocol
<a href="cleanup.8.html">cleanup(8)</a>, message canonicalization
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
- <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
+ <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the
process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
- <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
+ <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the
process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
shake procedures.
<b><a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> (empty)</b>
- The file with the certificate of the certification
- authority (CA) that issued the Postfix SMTP client
- certificate.
+ A file containing CA certificates of root CAs
+ trusted to sign either remote SMTP server certifi-
+ cates or intermediate CA certificates.
<b><a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> (empty)</b>
Directory with PEM format certificate authority
The hostname to send in the SMTP EHLO or HELO com-
mand.
- <b><a href="postconf.5.html#lmtp_lhloname">lmtp_lhlo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
+ <b><a href="postconf.5.html#lmtp_lhlo
_name">lmtp_lhlo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
The hostname to send in the LMTP LHLO command.
<b><a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a> (dns)</b>
handshake procedures.
<b><a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> (empty)</b>
- The file with the certificate of the certification
- authority (CA) that issued the Postfix SMTP server
- certificate.
+ A file containing (PEM format) CA certificates of
+ root CAs trusted to sign either remote SMTP client
+ certificates or intermediate CA certificates.
<b><a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> (empty)</b>
- The file with the certificate of the certification
- authority (CA) that issued the Postfix SMTP server
- certificate.
+ A file containing (PEM format) CA certificates of
+ root CAs trusted to sign either remote SMTP client
+ certificates or intermediate CA certificates.
<b><a href="postconf.5.html#smtpd_tls_always_issue_session_ids">smtpd_tls_always_issue_session_ids</a> (yes)</b>
Force the Postfix SMTP server to issue a TLS ses-
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
- <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
+ <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the
process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
- <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
+ <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the
process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
- <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
+ <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the
process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
- <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
+ <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the
process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
- <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
+ <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the
process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
and \fBpostmap\fR(1) commands.
.IP "\fBsyslog_facility (mail)\fR"
The syslog facility of Postfix logging.
-.IP "\fBsyslog_name (postfix)\fR"
+.IP "\fBsyslog_name (see 'postconf -d' output)\fR"
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
.SH "STANDARDS"
The location of the Postfix top-level queue directory.
.IP "\fBsyslog_facility (mail)\fR"
The syslog facility of Postfix logging.
-.IP "\fBsyslog_name (postfix)\fR"
+.IP "\fBsyslog_name (see 'postconf -d' output)\fR"
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
.IP "\fBtrigger_timeout (10s)\fR"
configuration files.
.IP "\fBsyslog_facility (mail)\fR"
The syslog facility of Postfix logging.
-.IP "\fBsyslog_name (postfix)\fR"
+.IP "\fBsyslog_name (see 'postconf -d' output)\fR"
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
.SH "SEE ALSO"
and \fBpostmap\fR(1) commands.
.IP "\fBsyslog_facility (mail)\fR"
The syslog facility of Postfix logging.
-.IP "\fBsyslog_name (postfix)\fR"
+.IP "\fBsyslog_name (see 'postconf -d' output)\fR"
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
.SH "SEE ALSO"
.SH "New or existing instance name assignment"
.IP "\fB-I \fIname\fR"
Assign the specified instance \fIname\fR to an existing
-instance or to a newly created or imported instance. Instance
-names other than "-" (which makes the instance "nameless")
+instance, newly-created instance, or imported instance.
+Instance
+names other than "-" (which makes the instance "nameless")
must start with "postfix-". This restriction reduces the
likelihood of name collisions with system files.
.IP "\fB-G \fIgroup\fR"
The location of the Postfix top-level queue directory.
.IP "\fBsyslog_facility (mail)\fR"
The syslog facility of Postfix logging.
-.IP "\fBsyslog_name (postfix)\fR"
+.IP "\fBsyslog_name (see 'postconf -d' output)\fR"
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
.IP "\fBtrigger_timeout (10s)\fR"
The location of the Postfix top-level queue directory.
.IP "\fBsyslog_facility (mail)\fR"
The syslog facility of Postfix logging.
-.IP "\fBsyslog_name (postfix)\fR"
+.IP "\fBsyslog_name (see 'postconf -d' output)\fR"
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
.SH "SEE ALSO"
.na
.ft C
debug_peer_list = 127.0.0.1
-debug_peer_list = some.domain
+debug_peer_list = example.com
.fi
.ad
.ft R
seconds. When the LMTP client receives a request for the same
connection the connection is reused.
.PP
+This parameter is available in Postfix version 2.2 and earlier.
+With Postfix version 2.3 and later, see lmtp_connection_cache_on_demand,
+lmtp_connection_cache_destinations, or lmtp_connection_reuse_time_limit.
+.PP
The effectiveness of cached connections will be determined by the
number of LMTP servers in use, and the concurrency limit specified
for the LMTP client. Cached connections are closed under any of
.nf
.na
.ft C
-myhostname = host.domain.tld
+myhostname = host.example.com
.fi
.ad
.ft R
.na
.ft C
relayhost = $mydomain
-relayhost = [gateway.my.domain]
+relayhost = [gateway.example.com]
relayhost = uucphost
relayhost = [an.ip.add.ress]
.fi
.PP
This feature is available in Postfix 2.2 and later.
.SH smtp_tls_CAfile (default: empty)
-The file with the certificate of the certification authority
-(CA) that issued the Postfix SMTP client certificate. This is
-needed only when the CA certificate is not already present in the
-client certificate file.
+A file containing CA certificates of root CAs trusted to sign
+either remote SMTP server certificates or intermediate CA certificates.
+These are loaded into memory before the \fBsmtp\fR(8) client enters the
+chroot jail. If the number of trusted roots is large, consider using
+smtp_tls_CApath instead, but note that the latter directory must be
+present in the chroot jail if the \fBsmtp\fR(8) client is chrooted. This
+file may also be used to augment the client certificate trust chain,
+but it is best to include all the required certificates directly in
+$smtp_tls_cert_file.
.PP
Example:
.PP
The best way to use the default settings is to comment out the above
parameters in main.cf if present.
.PP
-In order to verify certificates, the CA certificate (in case
-of a certificate chain, all CA certificates) must be available.
-You should add these certificates to the client certificate, the
-client certificate first, then the issuing CA(s).
+To enable remote SMTP servers to verify the Postfix SMTP client
+certificate, the issuing CA certificates must be made available to the
+server. You should include the required certificates in the client
+certificate file, the client certificate first, then the issuing
+CA(s) (bottom-up order).
.PP
-Example: the certificate for "client.dom.ain" was issued by
-"intermediate CA" which itself has a certificate of "root CA".
+Example: the certificate for "client.example.com" was issued by
+"intermediate CA" which itself has a certificate issued by "root CA".
Create the client.pem file with "cat client_cert.pem intermediate_CA.pem
root_CA.pem > client.pem".
.PP
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.SH smtpd_tls_CAfile (default: empty)
-The file with the certificate of the certification authority
-(CA) that issued the Postfix SMTP server certificate. This is
-needed only when the CA certificate is not already present in the
-server certificate file. This file may also contain the CA
-certificates of other trusted CAs. You must use this file for the
-list of trusted CAs if you want to use chroot-mode.
+A file containing (PEM format) CA certificates of root CAs trusted
+to sign either remote SMTP client certificates or intermediate CA
+certificates. These are loaded into memory before the \fBsmtpd\fR(8) server
+enters the chroot jail. If the number of trusted roots is large, consider
+using smtpd_tls_CApath instead, but note that the latter directory must
+be present in the chroot jail if the \fBsmtpd\fR(8) server is chrooted. This
+file may also be used to augment the server certificate trust chain,
+but it is best to include all the required certificates directly in the
+server certificate file.
+.PP
+By default (see smtpd_tls_ask_ccert), client certificates are not
+requested, and smtpd_tls_CAfile should remain empty. If you do make use
+of client certificates, the distinguished names (DNs) of the certificate
+authorities listed in smtpd_tls_CAfile are sent to the remote SMTP client
+in the client certificate request message. MUAs with multiple client
+certificates may use the list of preferred certificate authorities
+to select the correct client certificate. You may want to put your
+"preferred" CA or CAs in this file, and install other trusted CAs in
+$smtpd_tls_CApath.
.PP
Example:
.PP
.PP
This feature is available in Postfix 2.2 and later.
.SH smtpd_tls_CApath (default: empty)
-Directory with PEM format certificate authority certificates
-that the Postfix SMTP server offers to remote SMTP clients for the
-purpose of client certificate verification. Do not forget to create
-the necessary "hash" links with, for example, "$OPENSSL_HOME/bin/c_rehash
-/etc/postfix/certs".
-.PP
-To use this option in chroot mode, this directory (or a copy)
-must be inside the chroot jail. Please note that in this case the
-CA certificates are not offered to the client, so that e.g. Netscape
-clients might not offer certificates issued by them. Use of this
-feature is therefore not recommended.
+A directory containing (PEM format) CA certificates of root CAs
+trusted to sign either remote SMTP client certificates or intermediate CA
+certificates. Do not forget to create the necessary "hash" links with,
+for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". To use
+smtpd_tls_CApath in chroot mode, this directory (or a copy) must be
+inside the chroot jail.
+.PP
+By default (see smtpd_tls_ask_ccert), client certificates are
+not requested, and smtpd_tls_CApath should remain empty. In contrast
+to smtp_tls_CAfile, DNs of certificate authorities installed
+in $smtpd_tls_CApath are not included in the client certificate
+request message. MUAs with multiple client certificates may use the
+list of preferred certificate authorities to select the correct
+client certificate. You may want to put your "preferred" CA or
+CAs in $smtp_tls_CAfile, and install the remaining trusted CAs in
+$smtpd_tls_CApath.
.PP
Example:
.PP
presented to the client. For Netscape and OpenSSL clients without
special cipher choices the RSA certificate is preferred.
.PP
-In order to verify a certificate, the CA certificate (in case
-of a certificate chain, all CA certificates) must be available.
-You should add these certificates to the server certificate, the
-server certificate first, then the issuing CA(s).
+To enable a remote SMTP client to verify the Postfix SMTP server
+certificate, the issuing CA certificates must be made available to the
+client. You should include the required certificates in the server
+certificate file, the server certificate first, then the issuing
+CA(s) (bottom-up order).
.PP
-Example: the certificate for "server.dom.ain" was issued by
+Example: the certificate for "server.example.com" was issued by
"intermediate CA" which itself has a certificate of "root CA".
Create the server.pem file with "cat server_cert.pem intermediate_CA.pem
root_CA.pem > server.pem".
The process name of a Postfix command or daemon process.
.IP "\fBsyslog_facility (mail)\fR"
The syslog facility of Postfix logging.
-.IP "\fBsyslog_name (postfix)\fR"
+.IP "\fBsyslog_name (see 'postconf -d' output)\fR"
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
.SH "SEE ALSO"
The location of the Postfix top-level queue directory.
.IP "\fBsyslog_facility (mail)\fR"
The syslog facility of Postfix logging.
-.IP "\fBsyslog_name (postfix)\fR"
+.IP "\fBsyslog_name (see 'postconf -d' output)\fR"
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
.SH "FILES"
.PP
Available in Postfix version 2.6 and later:
.IP "\fBalways_add_missing_headers (no)\fR"
-Always add (Resent-) From:, To:, Date: or Message-ID headers
+Always add (Resent-) From:, To:, Date: or Message-ID: headers
when not present.
.SH "BUILT-IN CONTENT FILTERING CONTROLS"
.na
The location of the Postfix top-level queue directory.
.IP "\fBsyslog_facility (mail)\fR"
The syslog facility of Postfix logging.
-.IP "\fBsyslog_name (postfix)\fR"
+.IP "\fBsyslog_name (see 'postconf -d' output)\fR"
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
.SH "SEE ALSO"
The location of the Postfix top-level queue directory.
.IP "\fBsyslog_facility (mail)\fR"
The syslog facility of Postfix logging.
-.IP "\fBsyslog_name (postfix)\fR"
+.IP "\fBsyslog_name (see 'postconf -d' output)\fR"
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
.SH "SEE ALSO"
The location of the Postfix top-level queue directory.
.IP "\fBsyslog_facility (mail)\fR"
The syslog facility of Postfix logging.
-.IP "\fBsyslog_name (postfix)\fR"
+.IP "\fBsyslog_name (see 'postconf -d' output)\fR"
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
.SH "FILES"
before mail delivery is attempted.
.IP "\fBsyslog_facility (mail)\fR"
The syslog facility of Postfix logging.
-.IP "\fBsyslog_name (postfix)\fR"
+.IP "\fBsyslog_name (see 'postconf -d' output)\fR"
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
.SH "FILES"
The location of the Postfix top-level queue directory.
.IP "\fBsyslog_facility (mail)\fR"
The syslog facility of Postfix logging.
-.IP "\fBsyslog_name (postfix)\fR"
+.IP "\fBsyslog_name (see 'postconf -d' output)\fR"
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
.SH "FILES"
The location of the Postfix top-level queue directory.
.IP "\fBsyslog_facility (mail)\fR"
The syslog facility of Postfix logging.
-.IP "\fBsyslog_name (postfix)\fR"
+.IP "\fBsyslog_name (see 'postconf -d' output)\fR"
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
.SH "FILES"
The location of the Postfix top-level queue directory.
.IP "\fBsyslog_facility (mail)\fR"
The syslog facility of Postfix logging.
-.IP "\fBsyslog_name (postfix)\fR"
+.IP "\fBsyslog_name (see 'postconf -d' output)\fR"
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
.SH "SEE ALSO"
The separator between user names and address extensions (user+foo).
.IP "\fBsyslog_facility (mail)\fR"
The syslog facility of Postfix logging.
-.IP "\fBsyslog_name (postfix)\fR"
+.IP "\fBsyslog_name (see 'postconf -d' output)\fR"
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
.SH "SEE ALSO"
The location of the Postfix top-level queue directory.
.IP "\fBsyslog_facility (mail)\fR"
The syslog facility of Postfix logging.
-.IP "\fBsyslog_name (postfix)\fR"
+.IP "\fBsyslog_name (see 'postconf -d' output)\fR"
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
.SH "FILES"
The process name of a Postfix command or daemon process.
.IP "\fBqmqpd_authorized_clients (empty)\fR"
What clients are allowed to connect to the QMQP server port.
-.IP "\fBqmqpd_client_port_logging (no)\fR"
-Enable logging of the remote QMQP client port in addition to
-the hostname and IP address.
.IP "\fBqueue_directory (see 'postconf -d' output)\fR"
The location of the Postfix top-level queue directory.
.IP "\fBsyslog_facility (mail)\fR"
The syslog facility of Postfix logging.
-.IP "\fBsyslog_name (postfix)\fR"
+.IP "\fBsyslog_name (see 'postconf -d' output)\fR"
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
.IP "\fBverp_delimiter_filter (-=+)\fR"
The characters Postfix accepts as VERP delimiter characters on the
Postfix \fBsendmail\fR(1) command line and in SMTP commands.
+.PP
+Available in Postfix version 2.5 and later:
+.IP "\fBqmqpd_client_port_logging (no)\fR"
+Enable logging of the remote QMQP client port in addition to
+the hostname and IP address.
.SH "SEE ALSO"
.na
.nf
The process name of a Postfix command or daemon process.
.IP "\fBsyslog_facility (mail)\fR"
The syslog facility of Postfix logging.
-.IP "\fBsyslog_name (postfix)\fR"
+.IP "\fBsyslog_name (see 'postconf -d' output)\fR"
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
.SH "SEE ALSO"
The location of the Postfix top-level queue directory.
.IP "\fBsyslog_facility (mail)\fR"
The syslog facility of Postfix logging.
-.IP "\fBsyslog_name (postfix)\fR"
+.IP "\fBsyslog_name (see 'postconf -d' output)\fR"
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
.SH "FILES"
Time limit for Postfix SMTP client write and read operations
during TLS startup and shutdown handshake procedures.
.IP "\fBsmtp_tls_CAfile (empty)\fR"
-The file with the certificate of the certification authority
-(CA) that issued the Postfix SMTP client certificate.
+A file containing CA certificates of root CAs trusted to sign
+either remote SMTP server certificates or intermediate CA certificates.
.IP "\fBsmtp_tls_CApath (empty)\fR"
Directory with PEM format certificate authority certificates
that the Postfix SMTP client uses to verify a remote SMTP server
The time limit for Postfix SMTP server write and read operations
during TLS startup and shutdown handshake procedures.
.IP "\fBsmtpd_tls_CAfile (empty)\fR"
-The file with the certificate of the certification authority
-(CA) that issued the Postfix SMTP server certificate.
+A file containing (PEM format) CA certificates of root CAs trusted
+to sign either remote SMTP client certificates or intermediate CA
+certificates.
.IP "\fBsmtpd_tls_CAfile (empty)\fR"
-The file with the certificate of the certification authority
-(CA) that issued the Postfix SMTP server certificate.
+A file containing (PEM format) CA certificates of root CAs trusted
+to sign either remote SMTP client certificates or intermediate CA
+certificates.
.IP "\fBsmtpd_tls_always_issue_session_ids (yes)\fR"
Force the Postfix SMTP server to issue a TLS session id, even
when TLS session caching is turned off (smtpd_tls_session_cache_database
The location of the Postfix top-level queue directory.
.IP "\fBsyslog_facility (mail)\fR"
The syslog facility of Postfix logging.
-.IP "\fBsyslog_name (postfix)\fR"
+.IP "\fBsyslog_name (see 'postconf -d' output)\fR"
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
.SH "SEE ALSO"
The process name of a Postfix command or daemon process.
.IP "\fBsyslog_facility (mail)\fR"
The syslog facility of Postfix logging.
-.IP "\fBsyslog_name (postfix)\fR"
+.IP "\fBsyslog_name (see 'postconf -d' output)\fR"
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
.SH "SEE ALSO"
responses.
.IP "\fBsyslog_facility (mail)\fR"
The syslog facility of Postfix logging.
-.IP "\fBsyslog_name (postfix)\fR"
+.IP "\fBsyslog_name (see 'postconf -d' output)\fR"
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
.PP
The location of the Postfix top-level queue directory.
.IP "\fBsyslog_facility (mail)\fR"
The syslog facility of Postfix logging.
-.IP "\fBsyslog_name (postfix)\fR"
+.IP "\fBsyslog_name (see 'postconf -d' output)\fR"
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
.SH "SEE ALSO"
--- /dev/null
+#!/bin/sh
+
+# Look for missing parameter names in postlink
+
+trap 'rm -f postlink.tmp postconf.tmp check-postlink.tmp 2>/dev/null' 0 1 2 3 15
+
+# Extract parameters from postconf.5.html hyperlinks.
+
+sed -n '/[ ].*href="postconf\.5\.html#/{
+ s/^[^#]*#//
+ s/".*//
+ p
+}' mantools/postlink | sort > postlink.tmp
+#
+# Extract parameters from postlink script. This also produces names
+# of obsolete parameters, and non-parameter names such as SMTPD
+# access restrictions and mask names.
+
+postconf -d | sed 's/ =.*//' | sort >postconf.tmp
+
+# Filter the output through a whitelist.
+
+cat >check-postlink.tmp <<'EOF'
+lmtp_body_checks
+lmtp_cname_overrides_servername
+lmtp_destination_concurrency_failed_cohort_limit
+lmtp_destination_concurrency_negative_feedback
+lmtp_destination_concurrency_positive_feedback
+lmtp_destination_rate_delay
+lmtp_header_checks
+lmtp_initial_destination_concurrency
+lmtp_mime_header_checks
+lmtp_nested_header_checks
+local_destination_concurrency_failed_cohort_limit
+local_destination_concurrency_negative_feedback
+local_destination_concurrency_positive_feedback
+local_destination_rate_delay
+local_initial_destination_concurrency
+relay_destination_concurrency_failed_cohort_limit
+relay_destination_concurrency_negative_feedback
+relay_destination_concurrency_positive_feedback
+relay_destination_rate_delay
+relay_initial_destination_concurrency
+smtp_destination_concurrency_failed_cohort_limit
+smtp_destination_concurrency_negative_feedback
+smtp_destination_concurrency_positive_feedback
+smtp_destination_rate_delay
+smtp_initial_destination_concurrency
+stress
+virtual_destination_concurrency_failed_cohort_limit
+virtual_destination_concurrency_negative_feedback
+virtual_destination_concurrency_positive_feedback
+virtual_destination_rate_delay
+virtual_initial_destination_concurrency
+EOF
+
+comm -23 postconf.tmp postlink.tmp | fgrep -vx -f check-postlink.tmp
s;\bline_length_limit\b;<a href="postconf.5.html#line_length_limit">$&</a>;g;
s;\blmtp_bind_address\b;<a href="postconf.5.html#lmtp_bind_address">$&</a>;g;
s;\blmtp_bind_address6\b;<a href="postconf.5.html#lmtp_bind_address6">$&</a>;g;
+ s;\blmtp_assume_final\b;<a href="postconf.5.html#lmtp_assume_final">$&</a>;g;
s;\blmtp_cache_connection\b;<a href="postconf.5.html#lmtp_cache_connection">$&</a>;g;
s;\blmtp_discard_lhlo_keyword_address_maps\b;<a href="postconf.5.html#lmtp_discard_lhlo_keyword_address_maps">$&</a>;g;
s;\blmtp_discard_lhlo_keywords\b;<a href="postconf.5.html#lmtp_discard_lhlo_keywords">$&</a>;g;
s;\blmtp_tls_note_starttls_offer\b;<a href="postconf.5.html#lmtp_tls_note_starttls_offer">$&</a>;g;
s;\blmtp_sender_dependent_authentication\b;<a href="postconf.5.html#lmtp_sender_dependent_authentication">$&</a>;g;
s;\blmtp_sasl_path\b;<a href="postconf.5.html#lmtp_sasl_path">$&</a>;g;
- s;\blmtp_lhlo_name\b;<a href="postconf.5.html#lmtp_lhloname">$&</a>;g;
+ s;\blmtp_lhlo_name\b;<a href="postconf.5.html#lmtp_lhlo_name">$&</a>;g;
s;\blmtp_connect_timeout\b;<a href="postconf.5.html#lmtp_connect_timeout">$&</a>;g;
s;\blmtp_data_done_timeout\b;<a href="postconf.5.html#lmtp_data_done_timeout">$&</a>;g;
s;\blmtp_data_init_timeout\b;<a href="postconf.5.html#lmtp_data_init_timeout">$&</a>;g;
s;\bdestination_concurrency_feedback_debug\b;<a href="postconf.5.html#destination_concurrency_feedback_debug">$&</a>;g;
s;\bdefault_destina[-</Bb>]*\n* *[<Bb>]*tion_rate_delay\b;<a href="postconf.5.html#default_destination_rate_delay">$&</a>;g;
+ s;\bqmqpd_client_port_logging\b;<a href="postconf.5.html#qmqpd_client_port_logging">$&</a>;g;
s;\bqmqpd_error_delay\b;<a href="postconf.5.html#qmqpd_error_delay">$&</a>;g;
s;\bqmqpd_timeout\b;<a href="postconf.5.html#qmqpd_timeout">$&</a>;g;
s;\bqueue_directory\b;<a href="postconf.5.html#queue_directory">$&</a>;g;
s;\bservice_throttle_time\b;<a href="postconf.5.html#service_throttle_time">$&</a>;g;
s;\bsetgid_group\b;<a href="postconf.5.html#setgid_group">$&</a>;g;
- s;\bconnection_cache_service\b;<a href="postconf.5.html#connection_cache_service">$&</a>;g;
+ s;\bconnection_cache_service_name\b;<a href="postconf.5.html#connection_cache_service_name">$&</a>;g;
s;\bconnection_cache_status_update_time\b;<a href="postconf.5.html#connection_cache_status_update_time">$&</a>;g;
s;\bconnection_cache_protocol_timeout\b;<a href="postconf.5.html#connection_cache_protocol_timeout">$&</a>;g;
s;\bconnection_cache_ttl_limit\b;<a href="postconf.5.html#connection_cache_ttl_limit">$&</a>;g;
# Transport-dependent magical parameters.
s;(<i>transport</i>)(<b>)?(_destination_concurrency_failed_cohort_limit)\b;$2<a href="postconf.5.html#transport_destination_concurrency_failed_cohort_limit">$1$3</a>;g;
- s;(<i>transport</i>)(<b>)?(_destination_concurrency_negative_feedback)\b;$2<a href="postconf.5.html#transport_destination_concurrency_positive_feedback">$1$3</a>;g;
+ s;(<i>transport</i>)(<b>)?(_destination_concurrency_negative_feedback)\b;$2<a href="postconf.5.html#transport_destination_concurrency_negative_feedback">$1$3</a>;g;
s;(<i>transport</i>)(<b>)?(_destination_concurrency_positive_feedback)\b;$2<a href="postconf.5.html#transport_destination_concurrency_positive_feedback">$1$3</a>;g;
s;(<i>transport</i>)(<b>)?(_delivery_slot_cost)\b;$2<a href="postconf.5.html#transport_delivery_slot_cost">$1$3</a>;g;
s;(<i>transport</i>)(<b>)?(_delivery_slot_discount)\b;$2<a href="postconf.5.html#transport_delivery_slot_discount">$1$3</a>;g;
an empty value ("name="), or sends a zero value ("name=0") in
the case of a numerical attribute. </p>
- <li> <p> The "recipient" attribute is available only in the
- "RCPT TO" stage, and in the "DATA" and "END-OF-MESSAGE" stages
- when Postfix accepted only one recipient for the current message.
- </p>
+ <li> <p> The "recipient" attribute is available in the "RCPT
+ TO" stage. It is also available in the "DATA" and "END-OF-MESSAGE"
+ stages if Postfix accepted only one recipient for the current
+ message. </p>
<li> <p> The "recipient_count" attribute (Postfix 2.3 and later)
is non-zero only in the "DATA" and "END-OF-MESSAGE" stages. It
<h2>Overview </h2>
<p> This document describes the symptoms of Postfix SMTP server
-overload, and how to avoid the condition under normal conditions.
-When the condition is caused by botnets or other malware, the
-document suggests configuration settings that help to minimize the
-impact on legitimate mail. Finally, the document introduces
-stress-adaptive behavior, introduced with Postfix 2.5, and how it
-can be used to automatically switch configuration settings under
-overload. </p>
+overload. It presents permanent main.cf changes to avoid overload
+during normal operation, and temporary main.cf changes to cope with
+an unexpected burst of mail. This document makes specific suggestions
+for Postfix 2.5 and later which support stress-adaptive behavior,
+and for earlier Postfix versions that don't. </p>
<p> Topics covered in this document: </p>
<li><a href="#hangup"> Disconnect suspicious SMTP clients </a>
-<li><a href="#desperate"> Take desperate measures </a>
+<li><a href="#legacy"> Temporary measures for older Postfix releases </a>
-<li><a href="#adapt"> Make Postfix behavior stress-adaptive </a>
+<li><a href="#adapt"> Automatic stress-adaptive behavior </a>
<li><a href="#feature"> Detecting support for stress-adaptive behavior </a>
<li><a href="#forcing"> Forcing stress-adaptive behavior on or off </a>
+<li><a href="#other"> Other measures to off-load zombies </a>
+
<li><a href="#credits"> Credits </a>
</ul>
<h2><a name="overload"> Symptoms of Postfix SMTP server overload </a></h2>
-<p> Under normal conditions, Postfix responds immediately when a
-remote SMTP client connects. The time needed to deliver mail should
-be noticeable only with very large messages. Performance degrades
-more dramatically when the number of remote SMTP clients exceeds
-the number of Postfix SMTP server processes. When a client connects
-while all server processes are busy, the client must wait until a
-server process becomes available. </p>
+<p> Under normal conditions, the Postfix SMTP server responds
+immediately when an SMTP client connects to it; the time to deliver
+mail is noticeable only with large messages. Performance degrades
+dramatically when the number of SMTP clients exceeds the number of
+Postfix SMTP server processes. When an SMTP client connects while
+all Postfix SMTP server processes are busy, the client must wait
+until a server process becomes available. </p>
+
+<p> SMTP server overload may be caused by a surge of legitimate
+mail (example: a DNS registrar opens a new zone for registrations),
+by mistake (mail explosion caused by a forwarding loop) or by malice
+(worm outbreak, botnet, or other illegitimate activity). </p>
-<p> Overload may be caused by a legitimate mail (example: a DNS
-registrar opens a new zone for registrations), by mistake (mail
-explosion caused by a forwarding loop) or by illegitimate mail (worm
-outbreak, botnet, or other malware activity). Symptoms of Postfix
-SMTP mail server overload are: </p>
+<p> Symptoms of Postfix SMTP server overload are: </p>
<ul>
<li> <p> Remote SMTP clients experience a long delay before Postfix
-sends the "220 hostname.example.com ESMTP Postfix" greeting. If
-this affects end-user mail clients, enable the "submission" service
-entry in master.cf (present since Postfix 2.1), and tell users to
-connect to this instead of the public SMTP service. </p>
+sends the "220 hostname.example.com ESMTP Postfix" greeting. </p>
<ul>
-<li> <p> NOTE: Broken DNS configurations also cause lengthy delays
-before Postfix sends "220 hostname.example.com ...". In this case
-the delay happens even when Postfix is not busy. </p>
+<li> <p> NOTE: Broken DNS configurations can also cause lengthy
+delays before Postfix sends "220 hostname.example.com ...". These
+delays also exist when Postfix is NOT overloaded. </p>
+
+<li> <p> NOTE: To avoid "overload" delays for end-user mail
+clients, enable the "submission" service entry in master.cf (present
+since Postfix 2.1), and tell users to connect to this instead of
+the public SMTP service. </p>
</ul>
<ul>
-<li> <p> NOTE: A portscan for open SMTP ports also results in "lost
-connection ..." logfile messages. </p>
+<li> <p> NOTE: A portscan for open SMTP ports can also result in
+"lost connection ..." logfile messages. </p>
</ul>
</ul>
<p> Legitimate mail that doesn't get through during an episode of
-overload is not necessarily lost. It should still arrive once the
-situation returns to normal, as long as the overload condition is
-temporary. </p>
+Postfix SMTP server overload is not necessarily lost. It should
+still arrive once the situation returns to normal, as long as the
+overload condition is temporary. </p>
<h2><a name="concurrency"> Service more SMTP clients at the same time </a> </h2>
-<p> To service more SMTP clients simultaneously, you need to increase
-the number of SMTP server processes. This will improve the
+<p> One measure to avoid the "all server processes busy" condition
+is to service more SMTP clients simultaneously. For this you need
+to increase the number of Postfix SMTP server processes. This will
+improve the
responsiveness for remote SMTP clients, as long as the server machine
has enough hardware and software resources to run the additional
processes, and as long as the file system can keep up with the
filters (BSD kqueue(2), Linux epoll(4), or Solaris /dev/poll).
</p>
-<li> <p> You can reduce the Postfix memory footprint by using cdb:
+<li> <p> More processes use more memory. You can reduce the Postfix
+memory footprint by using cdb:
lookup tables instead of Berkeley DB's hash: or btree: tables. </p>
<pre>
<p> When increasing the number of SMTP server processes is not
practical, you can improve Postfix server responsiveness by eliminating
-unnecessary work. When Postfix spends less time per SMTP session, the
-same number of SMTP server processes can service more clients in the
-same amount of time. </p>
+delays. When Postfix spends less time per SMTP session, the same
+number of SMTP server processes can service more clients in a given
+amount of time. </p>
<ul>
mail. See BACKSCATTER_README for examples of the latter.
<li> <p> Group your header_checks and body_checks patterns to avoid
-unnecessary pattern matching operations.
+unnecessary pattern matching operations:
<pre>
1 /etc/postfix/header_checks:
2 if /^Subject:/
3 /^Subject: virus found in mail from you/ reject
- 4 /^Subject: ..../ ....
+ 4 /^Subject: ..other../ reject
5 endif
6
7 if /^Received:/
8 /^Received: from (postfix\.org) / reject forged client name in received header: $1
- 9 /^Received: from .../ ....
+ 9 /^Received: from ..other../ reject ....
10 endif
</pre>
<ul>
-<li> <p> Use "521" reply codes (Postfix 2.6 and later) for
-botnet-related RBLs or for selected non-RBL restrictions. With
-Postfix 2.3-2.5 use "421" for a similar result. The Postfix SMTP
-server will disconnect immediately without waiting for the remote
-SMTP client to send a QUIT command. </p>
-
-<p> You can set individual reject codes for RBLs, and for individual
-responses from a specific RBL. We'll use zen.spamhaus.org as an
-example; by the time you read this document, details may have
-changed. Right now, their documents say that a response of 127.0.0.10
-or 127.0.0.11 indicates a dynamic client IP address, which means
-that the machine is probably running a bot of some kind. To give
-a 521 response instead of the default 554 response, use something
-like: </p>
+<li> <p> Use "521" SMTP reply codes (Postfix 2.6 and later) or "421"
+(Postfix 2.3-2.5) to hang up on clients that that match botnet-related
+RBLs (see next bullet) or that match selected non-RBL restrictions
+such as SMTP access maps. The Postfix SMTP server will reject mail
+and disconnect without waiting for the remote SMTP client to send
+a QUIT command. </p>
+
+<li> <p> To hang up connections from blacklisted zombies, you can
+set specific Postfix SMTP server reject codes for specific RBLs,
+and for individual responses from specific RBLs. We'll use
+zen.spamhaus.org as an example; by the time you read this document,
+details may have changed. Right now, their documents say that a
+response of 127.0.0.10 or 127.0.0.11 indicates a dynamic client IP
+address, which means that the machine is probably running a bot of
+some kind. To give a 521 response instead of the default 554
+response, use something like: </p>
<pre>
1 /etc/postfix/main.cf:
8 rbl_reply_maps = hash:/etc/postfix/rbl_reply_maps
9
10 /etc/postfix/rbl_reply_maps:
-11 zen.spamhaus.org=127.0.0.10 521 4.7.1 Service unavailable;
-12 $rbl_class [$rbl_what] blocked using
-13 $rbl_domain${rbl_reason?; $rbl_reason}
-14
-15 zen.spamhaus.org=127.0.0.11 521 4.7.1 Service unavailable;
-16 $rbl_class [$rbl_what] blocked using
-17 $rbl_domain${rbl_reason?; $rbl_reason}
+11 # With Postfix 2.3-2.5 use "421" to hang up connections.
+12 zen.spamhaus.org=127.0.0.10 521 4.7.1 Service unavailable;
+13 $rbl_class [$rbl_what] blocked using
+14 $rbl_domain${rbl_reason?; $rbl_reason}
+15
+16 zen.spamhaus.org=127.0.0.11 521 4.7.1 Service unavailable;
+17 $rbl_class [$rbl_what] blocked using
+18 $rbl_domain${rbl_reason?; $rbl_reason}
</pre>
-<p> Although the above shows three RBL lookups (lines 4-6), Postfix
-will still only do a single DNS query, so the performance difference
-is negligible. </p>
+<p> Although the above example shows three RBL lookups (lines 4-6),
+Postfix will only do a single DNS query, so it does not affect the
+performance. </p>
-<p> With Postfix 2.3-2.5, use 421 (reply code 521 will not cause
-Postfix to disconnect). The down-side of sending 421 is that
-it works only for zombies and other malware. If the client is running
-a real MTA, then it may connect again several times until the mail
-expires in its queue. When this is a problem, stick with the default
-554 reply, and use "smtpd_hard_error_limit = 1" as described below.
-</p>
+<li> <p> With Postfix 2.3-2.5, use reply code 421 (521 will not
+cause Postfix to disconnect). The down-side of replying with 421
+is that it works only for zombies and other malware. If the client
+is running a real MTA, then it may connect again several times until
+the mail expires in its queue. When this is a problem, stick with
+the default 554 reply, and use "smtpd_hard_error_limit = 1" as
+described below. </p>
-<p> With Postfix 2.5, or with earlier releases that contain the
-stress-adaptive behavior patch, you can turn on the above under
-overload by replacing line 8 with: </p>
+<li> <p> You can automatically turn on the above overload measure
+with Postfix 2.5 and later, or with earlier releases that contain
+the stress-adaptive behavior source code patch from the mirrors
+listed at http://www.postfix.org/download.html. Simply replace line
+above 8 with: </p>
<pre>
8 rbl_reply_maps = ${stress?hash:/etc/postfix/rbl_reply_maps}
</pre>
+</ul>
+
<p> More information about automatic stress-adaptive behavior is
-at the end of this document. </p>
+in section "<a href="#adapt">Automatic stress-adaptive behavior</a>".
+</p>
-</ul>
+<h2><a name="legacy"> Temporary measures for older Postfix releases </a></h2>
-<h2><a name="desperate"> Take desperate measures </a></h2>
+<p> See the next section, "<a href="#adapt">Automatic stress-adaptive
+behavior</a>", if you are running Postfix version 2.5 or later, or
+if you have applied the source code patch for stress-adaptive
+behavior from the mirrors listed at http://www.postfix.org/download.html.
+</p>
-<p> The following measures will still allow <b>most</b> legitimate
-clients to connect and send mail, but may affect some legitimate
-clients. </p>
+<p> The following measures can be applied temporarily during overload.
+They still allow <b>most</b> legitimate clients to connect and send
+mail, but may affect some legitimate clients. </p>
<ul>
names that didn't bother to unsubscribe. No mail should be lost,
as long as this measure is used only temporarily. </p>
-<li> <p> Disable remote SMTP client hostname lookups, so that all
-SMTP client hostnames become "unknown" (line 5 below). This feature
-was introduced with Postfix 2.3. Unfortunately, this measure is
-more problematic than the other ones proposed sofar. First, this
-will result in loss of mail when you use hostname-based access rules
-that reject mail from "unknown" SMTP clients (examples:
-reject_unknown_client_hostname, reject_unknown_reverse_client_hostname).
-Second, this may result in loss of mail when you subject "unknown"
-SMTP clients to additional restrictions such as reject_unverified_sender.
-</p>
+<li> <p> Use an smtpd_junk_command_limit of 1 instead of the default
+100. This prevents clients from keeping idle connections open by
+repeatedly sending NOOP or RSET commands. </p>
</ul>
1 /etc/postfix/main.cf:
2 smtpd_timeout = 10
3 smtpd_hard_error_limit = 1
-4 # Caution: line 5 may trigger REJECTs by hostname-based access rules
-5 smtpd_peername_lookup = no
+4 smtpd_junk_command_limit = 1
</pre>
</blockquote>
-<p> Except with the last measure, no mail should be lost, as long
+<p> With these measures, no mail should be lost, as long
as these measures are used only temporarily. The next section of
this document introduces a way to automate this process. </p>
-<h2><a name="adapt"> Make Postfix behavior stress-adaptive </a></h2>
+<h2><a name="adapt"> Automatic stress-adaptive behavior </a></h2>
<p> Postfix version 2.5 introduces automatic stress-adaptive behavior.
-This is also available as an add-on patch for Postfix versions 2.4
-and 2.3 from the mirrors listed at http://www.postfix.org/download.html.
+This is also available as a source code patch for Postfix versions
+2.4 and 2.3 from the mirrors listed at
+http://www.postfix.org/download.html. </p>
+
+<p> It works as follows. When a "public" network service such as
+the SMTP server runs into an "all server ports are busy" condition,
+the Postfix master(8) daemon logs a warning, restarts the service
+(without interrupting existing network sessions), and runs the
+service with "-o stress=yes" on the server process command line:
</p>
-<p> It works as follows. When a "public" network service runs into
-an "all server ports are busy" condition, the master(8) daemon logs
-a warning, restarts the service (without interrupting existing
-network sessions), and runs the service with "-o stress=yes" on the
-command line. Normally, it runs a stress-adaptive service with "-o
-stress=" on the command line (i.e. with an empty parameter value).
-Other services never have "-o stress" parameters on the command
-line, including services that listen on a loopback interface only.
-</p>
+<blockquote>
+<pre>
+80821 ?? S 0:00.24 smtpd -n smtp -t inet -u -c -o stress=yes
+</pre>
+</blockquote>
-<p> The stress pseudo-parameter value is the key to making main.cf
-parameter settings stress adaptive: </p>
+<p> Normally, the Postfix master(8) daemon runs such a service with
+"-o stress=" on the command line (i.e. with an empty parameter
+value): </p>
<blockquote>
<pre>
-1 /etc/postfix/main.cf:
-2 smtpd_timeout = ${stress?10}${stress:300}
-3 smtpd_hard_error_limit = ${stress?1}${stress:20}
+83326 ?? S 0:00.28 smtpd -n smtp -t inet -u -c -o stress=
+</pre>
+</blockquote>
+
+<p> Services that have local access only never have "-o stress"
+parameters on the command line. This includes services internal to
+Postfix such as the queue manager, and services that listen on a
+loopback interface only, such as after-filter SMTP services. </p>
+
+<p> The "stress" parameter value is the key to making main.cf
+parameter settings stress adaptive. The following settings are the
+default with Postfix 2.6 and later. With earlier Postfix versions
+that have stress-adaptive support, append the lines below to the
+main.cf file and issue a "postfix reload" command: </p>
+
+<blockquote>
+<pre>
+1 smtpd_timeout = ${stress?10}${stress:300}s
+2 smtpd_hard_error_limit = ${stress?1}${stress:20}
+3 smtpd_junk_command_limit = ${stress?1}${stress:100}
</pre>
</blockquote>
<ul>
-<li> <p> Line 2: under conditions of stress, use an smtpd_timeout
-value of 10 seconds instead of the default 300 seconds,
+<li> <p> Line 1: under conditions of stress, use an smtpd_timeout
+value of 10 seconds instead of the default 300 seconds. Experience
+on the postfix-users list from a variety of sysadmins shows that
+reducing the "normal" smtpd_timeout to 60s is unlikely to affect
+legitimate clients. However, it is unlikely to become the Postfix
+default because it's not RFC compliant. Setting smtpd_timeout to
+10s (line 2 below) or even 5s under stress will still allow most
+legitimate clients to connect and send mail, but may delay mail
+from some clients. No mail should be lost, as long as this measure
+is used only temporarily. </p>
-<li> <p> Line 3: under conditions of stress, use an smtpd_hard_error_limit
-of 1 instead of the default 20. </p>
+<li> <p> Line 2: under conditions of stress, use an smtpd_hard_error_limit
+of 1 instead of the default 20. This helps by disconnecting clients
+after a single error, giving other clients a chance to connect.
+However, this may cause significant delays with legitimate mail,
+such as a mailing list that contains a few no-longer-active user
+names that didn't bother to unsubscribe. No mail should be lost,
+as long as this measure is used only temporarily. </p>
+
+<li> <p> Line 3: under conditions of stress, use an
+smtpd_junk_command_limit of 1 instead of the default 100. This
+prevents clients from keeping idle connections open by repeatedly
+sending NOOP or RSET commands. </p>
</ul>
</pre>
</blockquote>
+<h2><a name="other"> Other measures to off-load zombies </h2>
+
+<p> OpenBSD <a href="http://www.openbsd.org/spamd/">spamd</a>
+implements a daemon that handles all connections from "new" clients.
+Only well-behaved mail clients are allowed to talk to the mail
+server. Other clients are tarpitted, and will never get a chance
+to affect mail server performance. </p>
+
+<p> At some point in the future, Postfix may come with a simple
+front-end daemon that does basic greylisting and pipelining detection
+to keep zombies and other ratware away from Postfix itself. This
+would use the "pass" service type which has been available in
+stable Postfix releases since Postfix 2.5. </p>
+
<h2><a name="credits"> Credits </a></h2>
<ul>
</pre>
</blockquote>
+<p> As of version 2.5, Postfix will no longer maintain this file
+in a directory with non-Postfix ownership. As a migration aid,
+attempts to open such files are redirected to the Postfix-owned
+$data_directory, and a warning is logged. </p>
+
<p> Cached Postfix SMTP server session information expires after
a certain amount of time. Postfix/TLS does not use the OpenSSL
default of 300s, but a longer time of 3600sec (=1 hour). RFC 2246
</pre>
</blockquote>
+<p> As of version 2.5, Postfix will no longer maintain this file
+in a directory with non-Postfix ownership. As a migration aid,
+attempts to open such files are redirected to the Postfix-owned
+$data_directory, and a warning is logged. </p>
+
<p> Cached Postfix SMTP client session information expires after
a certain amount of time. Postfix/TLS does not use the OpenSSL
default of 300s, but a longer time of 3600s (=1 hour). RFC 2246
clients without special cipher choices, the RSA certificate is
preferred. </p>
-<p> In order for remote SMTP clients to check the Postfix SMTP
-server certificates, the CA certificate (in case of a certificate
-chain, all CA certificates) must be available. You should add any
-intermediate CA certificates to the server certificate: the server
-certificate first, then the intermediate CA(s). </p>
+<p> To enable a remote SMTP client to verify the Postfix SMTP server
+certificate, the issuing CA certificates must be made available to the
+client. You should include the required certificates in the server
+certificate file, the server certificate first, then the issuing
+CA(s) (bottom-up order). </p>
<p> Example: the certificate for "server.example.com" was issued by
"intermediate CA" which itself has a certificate issued by "root
accessible inside the optional chroot jail. </p>
<p> When you configure the Postfix SMTP server to request <a
-href="#server_vrfy_client">client certificates</a>, any CA certificates
-in $smtpd_tls_CAfile are sent to the client, in order to allow it to
-choose an identity signed by a CA you trust. If no $smtpd_tls_CAfile
+href="#server_vrfy_client">client certificates</a>, the DNs of certificate
+authorities in $smtpd_tls_CAfile are sent to the client, in order to allow
+it to choose an identity signed by a CA you trust. If no $smtpd_tls_CAfile
is specified, no preferred CA list is sent, and the client is free to
choose an identity signed by any CA. Many clients use a fixed identity
regardless of the preferred CA list and you may be able to reduce TLS
password. Both parts (certificate and private key) may be in the
same file. </p>
-<p> In order for remote SMTP servers to verify the Postfix SMTP
-client certificates, the CA certificate (in case of a certificate
-chain, all CA certificates) must be available. You should add
-these certificates to the client certificate, the client certificate
-first, then the issuing CA(s). </p>
+<p> To enable remote SMTP servers to verify the Postfix SMTP client
+certificate, the issuing CA certificates must be made available to the
+server. You should include the required certificates in the client
+certificate file, the client certificate first, then the issuing
+CA(s) (bottom-up order). </p>
<p> Example: the certificate for "client.example.com" was issued by
-"intermediate CA" which itself has a certificate of "root CA".
+"intermediate CA" which itself has a certificate issued by "root CA".
Create the client.pem file with: </p>
<blockquote>
<pre>
debug_peer_list = 127.0.0.1
-debug_peer_list = some.domain
+debug_peer_list = example.com
</pre>
%PARAM default_database_type see "postconf -d" output
</p>
<pre>
-myhostname = host.domain.tld
+myhostname = host.example.com
</pre>
%PARAM mynetworks see "postconf -d" output
<pre>
relayhost = $mydomain
-relayhost = [gateway.my.domain]
+relayhost = [gateway.example.com]
relayhost = uucphost
relayhost = [an.ip.add.ress]
</pre>
connection the connection is reused.
</p>
+<p> This parameter is available in Postfix version 2.2 and earlier.
+With Postfix version 2.3 and later, see lmtp_connection_cache_on_demand,
+lmtp_connection_cache_destinations, or lmtp_connection_reuse_time_limit.
+</p>
+
<p>
The effectiveness of cached connections will be determined by the
number of LMTP servers in use, and the concurrency limit specified
presented to the client. For Netscape and OpenSSL clients without
special cipher choices the RSA certificate is preferred. </p>
-<p> In order to verify a certificate, the CA certificate (in case
-of a certificate chain, all CA certificates) must be available.
-You should add these certificates to the server certificate, the
-server certificate first, then the issuing CA(s). </p>
+<p> To enable a remote SMTP client to verify the Postfix SMTP server
+certificate, the issuing CA certificates must be made available to the
+client. You should include the required certificates in the server
+certificate file, the server certificate first, then the issuing
+CA(s) (bottom-up order). </p>
-<p> Example: the certificate for "server.dom.ain" was issued by
+<p> Example: the certificate for "server.example.com" was issued by
"intermediate CA" which itself has a certificate of "root CA".
Create the server.pem file with "cat server_cert.pem intermediate_CA.pem
root_CA.pem > server.pem". </p>
%PARAM smtpd_tls_CAfile
-<p> The file with the certificate of the certification authority
-(CA) that issued the Postfix SMTP server certificate. This is
-needed only when the CA certificate is not already present in the
-server certificate file. This file may also contain the CA
-certificates of other trusted CAs. You must use this file for the
-list of trusted CAs if you want to use chroot-mode. </p>
+<p> A file containing (PEM format) CA certificates of root CAs trusted
+to sign either remote SMTP client certificates or intermediate CA
+certificates. These are loaded into memory before the smtpd(8) server
+enters the chroot jail. If the number of trusted roots is large, consider
+using smtpd_tls_CApath instead, but note that the latter directory must
+be present in the chroot jail if the smtpd(8) server is chrooted. This
+file may also be used to augment the server certificate trust chain,
+but it is best to include all the required certificates directly in the
+server certificate file. </p>
+
+<p> By default (see smtpd_tls_ask_ccert), client certificates are not
+requested, and smtpd_tls_CAfile should remain empty. If you do make use
+of client certificates, the distinguished names (DNs) of the certificate
+authorities listed in smtpd_tls_CAfile are sent to the remote SMTP client
+in the client certificate request message. MUAs with multiple client
+certificates may use the list of preferred certificate authorities
+to select the correct client certificate. You may want to put your
+"preferred" CA or CAs in this file, and install other trusted CAs in
+$smtpd_tls_CApath. </p>
<p> Example: </p>
%PARAM smtpd_tls_CApath
-<p> Directory with PEM format certificate authority certificates
-that the Postfix SMTP server offers to remote SMTP clients for the
-purpose of client certificate verification. Do not forget to create
-the necessary "hash" links with, for example, "$OPENSSL_HOME/bin/c_rehash
-/etc/postfix/certs". </p>
-
-<p> To use this option in chroot mode, this directory (or a copy)
-must be inside the chroot jail. Please note that in this case the
-CA certificates are not offered to the client, so that e.g. Netscape
-clients might not offer certificates issued by them. Use of this
-feature is therefore not recommended. </p>
+<p> A directory containing (PEM format) CA certificates of root CAs
+trusted to sign either remote SMTP client certificates or intermediate CA
+certificates. Do not forget to create the necessary "hash" links with,
+for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". To use
+smtpd_tls_CApath in chroot mode, this directory (or a copy) must be
+inside the chroot jail. </p>
+
+<p> By default (see smtpd_tls_ask_ccert), client certificates are
+not requested, and smtpd_tls_CApath should remain empty. In contrast
+to smtp_tls_CAfile, DNs of certificate authorities installed
+in $smtpd_tls_CApath are not included in the client certificate
+request message. MUAs with multiple client certificates may use the
+list of preferred certificate authorities to select the correct
+client certificate. You may want to put your "preferred" CA or
+CAs in $smtp_tls_CAfile, and install the remaining trusted CAs in
+$smtpd_tls_CApath. </p>
<p> Example: </p>
<p> The best way to use the default settings is to comment out the above
parameters in main.cf if present. </p>
-<p> In order to verify certificates, the CA certificate (in case
-of a certificate chain, all CA certificates) must be available.
-You should add these certificates to the client certificate, the
-client certificate first, then the issuing CA(s). </p>
+<p> To enable remote SMTP servers to verify the Postfix SMTP client
+certificate, the issuing CA certificates must be made available to the
+server. You should include the required certificates in the client
+certificate file, the client certificate first, then the issuing
+CA(s) (bottom-up order). </p>
-<p> Example: the certificate for "client.dom.ain" was issued by
-"intermediate CA" which itself has a certificate of "root CA".
+<p> Example: the certificate for "client.example.com" was issued by
+"intermediate CA" which itself has a certificate issued by "root CA".
Create the client.pem file with "cat client_cert.pem intermediate_CA.pem
root_CA.pem > client.pem". </p>
%PARAM smtp_tls_CAfile
-<p> The file with the certificate of the certification authority
-(CA) that issued the Postfix SMTP client certificate. This is
-needed only when the CA certificate is not already present in the
-client certificate file. </p>
+<p> A file containing CA certificates of root CAs trusted to sign
+either remote SMTP server certificates or intermediate CA certificates.
+These are loaded into memory before the smtp(8) client enters the
+chroot jail. If the number of trusted roots is large, consider using
+smtp_tls_CApath instead, but note that the latter directory must be
+present in the chroot jail if the smtp(8) client is chrooted. This
+file may also be used to augment the client certificate trust chain,
+but it is best to include all the required certificates directly in
+$smtp_tls_cert_file. </p>
<p> Example: </p>
/* The process name of a Postfix command or daemon process.
/* .IP "\fBsyslog_facility (mail)\fR"
/* The syslog facility of Postfix logging.
-/* .IP "\fBsyslog_name (postfix)\fR"
+/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
/* The mail system name that is prepended to the process name in syslog
/* records, so that "smtpd" becomes, for example, "postfix/smtpd".
/* SEE ALSO
/* The location of the Postfix top-level queue directory.
/* .IP "\fBsyslog_facility (mail)\fR"
/* The syslog facility of Postfix logging.
-/* .IP "\fBsyslog_name (postfix)\fR"
+/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
/* The mail system name that is prepended to the process name in syslog
/* records, so that "smtpd" becomes, for example, "postfix/smtpd".
/* FILES
/* .PP
/* Available in Postfix version 2.6 and later:
/* .IP "\fBalways_add_missing_headers (no)\fR"
-/* Always add (Resent-) From:, To:, Date: or Message-ID headers
+/* Always add (Resent-) From:, To:, Date: or Message-ID: headers
/* when not present.
/* BUILT-IN CONTENT FILTERING CONTROLS
/* .ad
* ID uniqueness only within a second, we must ensure that the time in
* the message ID matches the queue ID creation time, as long as we use
* the queue ID in the message ID.
+ *
+ * XXX We log a dummy name=value record so that we (hopefully) don't break
+ * compatibility with existing logfile analyzers, and so that we don't
+ * complicate future code that wants to log more name=value attributes.
*/
if ((state->hdr_rewrite_context || var_always_add_hdrs)
&& (state->headers_seen & (1 << (state->resent[0] ?
msg_info("%s: %smessage-id=<%s.%s@%s>",
state->queue_id, *state->resent ? "resent-" : "",
time_stamp, state->queue_id, var_myhostname);
+ state->headers_seen |= (1 << (state->resent[0] ?
+ HDR_RESENT_MESSAGE_ID : HDR_MESSAGE_ID));
}
+ if ((state->headers_seen & (1 << HDR_MESSAGE_ID)) == 0)
+ msg_info("%s: message-id=<>", state->queue_id);
/*
* Add a missing (Resent-)Date: header. The date is in local time units,
/* The location of the Postfix top-level queue directory.
/* .IP "\fBsyslog_facility (mail)\fR"
/* The syslog facility of Postfix logging.
-/* .IP "\fBsyslog_name (postfix)\fR"
+/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
/* The mail system name that is prepended to the process name in syslog
/* records, so that "smtpd" becomes, for example, "postfix/smtpd".
/* SEE ALSO
/* The location of the Postfix top-level queue directory.
/* .IP "\fBsyslog_facility (mail)\fR"
/* The syslog facility of Postfix logging.
-/* .IP "\fBsyslog_name (postfix)\fR"
+/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
/* The mail system name that is prepended to the process name in syslog
/* records, so that "smtpd" becomes, for example, "postfix/smtpd".
/* SEE ALSO
/* The location of the Postfix top-level queue directory.
/* .IP "\fBsyslog_facility (mail)\fR"
/* The syslog facility of Postfix logging.
-/* .IP "\fBsyslog_name (postfix)\fR"
+/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
/* The mail system name that is prepended to the process name in syslog
/* records, so that "smtpd" becomes, for example, "postfix/smtpd".
/* FILES
static RCPT_BUF *rcpt_buf;
int rcpt_count;
int dsn_ret;
+ int lock_tries;
/*
* Initialize. For some reason I wanted to allow for multiple instances
}
if (msg_verbose)
msg_info("%s: file %s", myname, VSTREAM_PATH(request->fp));
- if (myflock(vstream_fileno(request->fp), INTERNAL_LOCK, DELIVER_LOCK_MODE) < 0)
- msg_fatal("shared lock %s: %m", VSTREAM_PATH(request->fp));
+
+ /*
+ * XXX Originally, the queue manager would read new recipients AFTER all
+ * the in-memory recipients were processed. either the queue manager held
+ * an exclusive lock or delivery agents held a shared lock. Now we try a
+ * few times.
+ */
+ for (lock_tries = 0; /* see below */; lock_tries++) {
+ if (myflock(vstream_fileno(request->fp), INTERNAL_LOCK, DELIVER_LOCK_MODE) == 0)
+ break;
+ if (lock_tries < 5)
+ sleep(1);
+ else
+ msg_fatal("shared lock %s: %m", VSTREAM_PATH(request->fp));
+ }
close_on_exec(vstream_fileno(request->fp), CLOSE_ON_EXEC);
return (0);
#define DEF_IGN_MX_LOOKUP_ERR 0
extern bool var_ign_mx_lookup_err;
-#define VAR_SKIP_QUIT_RESP "smtp_skip_quit_response"
-#define DEF_SKIP_QUIT_RESP 1
+#define VAR_SMTP_SKIP_QUIT_RESP "smtp_skip_quit_response"
+#define DEF_SMTP_SKIP_QUIT_RESP 1
extern bool var_skip_quit_resp;
#define VAR_SMTP_ALWAYS_EHLO "smtp_always_send_ehlo"
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20090404"
-#define MAIL_VERSION_NUMBER "2.6"
+#define MAIL_RELEASE_DATE "20090418"
+#define MAIL_VERSION_NUMBER "2.7"
#ifdef SNAPSHOT
# define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
/* before mail delivery is attempted.
/* .IP "\fBsyslog_facility (mail)\fR"
/* The syslog facility of Postfix logging.
-/* .IP "\fBsyslog_name (postfix)\fR"
+/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
/* The mail system name that is prepended to the process name in syslog
/* records, so that "smtpd" becomes, for example, "postfix/smtpd".
/* FILES
/* The location of the Postfix top-level queue directory.
/* .IP "\fBsyslog_facility (mail)\fR"
/* The syslog facility of Postfix logging.
-/* .IP "\fBsyslog_name (postfix)\fR"
+/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
/* The mail system name that is prepended to the process name in syslog
/* records, so that "smtpd" becomes, for example, "postfix/smtpd".
/* FILES
/* The location of the Postfix top-level queue directory.
/* .IP "\fBsyslog_facility (mail)\fR"
/* The syslog facility of Postfix logging.
-/* .IP "\fBsyslog_name (postfix)\fR"
+/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
/* The mail system name that is prepended to the process name in syslog
/* records, so that "smtpd" becomes, for example, "postfix/smtpd".
/* FILES
/* The location of the Postfix top-level queue directory.
/* .IP "\fBsyslog_facility (mail)\fR"
/* The syslog facility of Postfix logging.
-/* .IP "\fBsyslog_name (postfix)\fR"
+/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
/* The mail system name that is prepended to the process name in syslog
/* records, so that "smtpd" becomes, for example, "postfix/smtpd".
/* SEE ALSO
/* The separator between user names and address extensions (user+foo).
/* .IP "\fBsyslog_facility (mail)\fR"
/* The syslog facility of Postfix logging.
-/* .IP "\fBsyslog_name (postfix)\fR"
+/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
/* The mail system name that is prepended to the process name in syslog
/* records, so that "smtpd" becomes, for example, "postfix/smtpd".
/* SEE ALSO
/* and \fBpostmap\fR(1) commands.
/* .IP "\fBsyslog_facility (mail)\fR"
/* The syslog facility of Postfix logging.
-/* .IP "\fBsyslog_name (postfix)\fR"
+/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
/* The mail system name that is prepended to the process name in syslog
/* records, so that "smtpd" becomes, for example, "postfix/smtpd".
/* STANDARDS
cp $(PROG) ../../bin
$(MAKES): $(INC_DIR)/mail_params.h ../global/mail_params.c
- $(AWK) -f extract.awk ../*/*.c
+ $(AWK) -f extract.awk ../*/*.c | $(SHELL)
$(AUTOS): auto.awk
$(AWK) -f auto.awk
# when doing duplicate elimination. Differences in the default value
# or lower/upper bounds still result in "postconf -d" duplicates,
# which are a sign of an error somewhere...
+#
+# XXX Work around ancient AWK implementations with a 10 file limit
+# and no working close() operator (e.g. Solaris). Some systems
+# have a more modern implementation that is XPG4-compatible, but it
+# is too much bother to find out where each system keeps these.
/^(static| )*(const +)?CONFIG_INT_TABLE .*\{/,/\};/ {
if ($1 ~ /VAR/) {
- print "int " substr($3,2,length($3)-2) ";" > "int_vars.h"
+ int_vars["int " substr($3,2,length($3)-2) ";"] = 1
if (++itab[$1 $2 $4 $5 $6 $7 $8 $9] == 1) {
- print |"sed 's/[ ][ ]*/ /g' > int_table.h"
+ int_table[$0] = 1
}
}
}
/^(static| )*(const +)?CONFIG_STR_TABLE .*\{/,/\};/ {
if ($1 ~ /^VAR/) {
- print "char *" substr($3,2,length($3)-2) ";" > "str_vars.h"
+ str_vars["char *" substr($3,2,length($3)-2) ";"] = 1
if (++stab[$1 $2 $4 $5 $6 $7 $8 $9] == 1) {
- print |"sed 's/[ ][ ]*/ /g' > str_table.h"
+ str_table[$0] = 1
}
}
}
/^(static| )*(const +)?CONFIG_RAW_TABLE .*\{/,/\};/ {
if ($1 ~ /^VAR/) {
- print "char *" substr($3,2,length($3)-2) ";" > "raw_vars.h"
+ raw_vars["char *" substr($3,2,length($3)-2) ";"] = 1
if (++rtab[$1 $2 $4 $5 $6 $7 $8 $9] == 1) {
- print |"sed 's/[ ][ ]*/ /g' > raw_table.h"
+ raw_table[$0] = 1
}
}
}
/^(static| )*(const +)?CONFIG_BOOL_TABLE .*\{/,/\};/ {
if ($1 ~ /^VAR/) {
- print "int " substr($3,2,length($3)-2) ";" > "bool_vars.h"
+ bool_vars["int " substr($3,2,length($3)-2) ";"] = 1
if (++btab[$1 $2 $4 $5 $6 $7 $8 $9] == 1) {
- print |"sed 's/[ ][ ]*/ /g' > bool_table.h"
+ bool_table[$0] = 1
}
}
}
/^(static| )*(const +)?CONFIG_TIME_TABLE .*\{/,/\};/ {
if ($1 ~ /^VAR/) {
- print "int " substr($3,2,length($3)-2) ";" > "time_vars.h"
+ time_vars["int " substr($3,2,length($3)-2) ";"] = 1
if (++ttab[$1 $2 $4 $5 $6 $7 $8 $9] == 1) {
- print |"sed 's/[ ][ ]*/ /g' > time_table.h"
+ time_table[$0] = 1
}
}
}
/^(static| )*(const +)?CONFIG_NINT_TABLE .*\{/,/\};/ {
if ($1 ~ /VAR/) {
- print "int " substr($3,2,length($3)-2) ";" > "nint_vars.h"
+ nint_vars["int " substr($3,2,length($3)-2) ";"] = 1
if (++itab[$1 $2 $4 $5 $6 $7 $8 $9] == 1) {
- print |"sed 's/[ ][ ]*/ /g' > nint_table.h"
+ nint_table[$0] = 1
}
}
}
-# Workaround for broken gawk versions.
+END {
+ # Print parameter declarations without busting old AWK's file limit.
+ print "cat >int_vars.h <<'EOF'"
+ for (key in int_vars)
+ print key
+ print "EOF"
+
+ print "cat >str_vars.h <<'EOF'"
+ for (key in str_vars)
+ print key
+ print "EOF"
+
+ print "cat >raw_vars.h <<'EOF'"
+ for (key in raw_vars)
+ print key
+ print "EOF"
+
+ print "cat >bool_vars.h <<'EOF'"
+ for (key in bool_vars)
+ print key
+ print "EOF"
+
+ print "cat >time_vars.h <<'EOF'"
+ for (key in time_vars)
+ print key
+ print "EOF"
+
+ print "cat >nint_vars.h <<'EOF'"
+ for (key in nint_vars)
+ print key
+ print "EOF"
+
+ # Print parameter initializations without busting old AWK's file limit.
+ print "sed 's/[ ][ ]*/ /g' >int_table.h <<'EOF'"
+ for (key in int_table)
+ print key
+ print "EOF"
-END { exit(0); }
+ print "sed 's/[ ][ ]*/ /g' >str_table.h <<'EOF'"
+ for (key in str_table)
+ print key
+ print "EOF"
+
+ print "sed 's/[ ][ ]*/ /g' >raw_table.h <<'EOF'"
+ for (key in raw_table)
+ print key
+ print "EOF"
+
+ print "sed 's/[ ][ ]*/ /g' >bool_table.h <<'EOF'"
+ for (key in bool_table)
+ print key
+ print "EOF"
+
+ print "sed 's/[ ][ ]*/ /g' >time_table.h <<'EOF'"
+ for (key in time_table)
+ print key
+ print "EOF"
+
+ print "sed 's/[ ][ ]*/ /g' >nint_table.h <<'EOF'"
+ for (key in nint_table)
+ print key
+ print "EOF"
+
+ # Flush output nicely.
+ exit(0);
+}
/* The location of the Postfix top-level queue directory.
/* .IP "\fBsyslog_facility (mail)\fR"
/* The syslog facility of Postfix logging.
-/* .IP "\fBsyslog_name (postfix)\fR"
+/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
/* The mail system name that is prepended to the process name in syslog
/* records, so that "smtpd" becomes, for example, "postfix/smtpd".
/* .IP "\fBtrigger_timeout (10s)\fR"
/* configuration files.
/* .IP "\fBsyslog_facility (mail)\fR"
/* The syslog facility of Postfix logging.
-/* .IP "\fBsyslog_name (postfix)\fR"
+/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
/* The mail system name that is prepended to the process name in syslog
/* records, so that "smtpd" becomes, for example, "postfix/smtpd".
/* SEE ALSO
/* and \fBpostmap\fR(1) commands.
/* .IP "\fBsyslog_facility (mail)\fR"
/* The syslog facility of Postfix logging.
-/* .IP "\fBsyslog_name (postfix)\fR"
+/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
/* The mail system name that is prepended to the process name in syslog
/* records, so that "smtpd" becomes, for example, "postfix/smtpd".
/* SEE ALSO
/* .SH "New or existing instance name assignment"
/* .IP "\fB-I \fIname\fR"
/* Assign the specified instance \fIname\fR to an existing
-/* instance or to a newly created or imported instance. Instance
-/* names other than "-" (which makes the instance "nameless")
+/* instance, newly-created instance, or imported instance.
+/* Instance
+/* names other than "-" (which makes the instance "nameless")
/* must start with "postfix-". This restriction reduces the
/* likelihood of name collisions with system files.
/* .IP "\fB-G \fIgroup\fR"
/* The location of the Postfix top-level queue directory.
/* .IP "\fBsyslog_facility (mail)\fR"
/* The syslog facility of Postfix logging.
-/* .IP "\fBsyslog_name (postfix)\fR"
+/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
/* The mail system name that is prepended to the process name in syslog
/* records, so that "smtpd" becomes, for example, "postfix/smtpd".
/* .IP "\fBtrigger_timeout (10s)\fR"
/* The location of the Postfix top-level queue directory.
/* .IP "\fBsyslog_facility (mail)\fR"
/* The syslog facility of Postfix logging.
-/* .IP "\fBsyslog_name (postfix)\fR"
+/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
/* The mail system name that is prepended to the process name in syslog
/* records, so that "smtpd" becomes, for example, "postfix/smtpd".
/* SEE ALSO
/* The location of the Postfix top-level queue directory.
/* .IP "\fBsyslog_facility (mail)\fR"
/* The syslog facility of Postfix logging.
-/* .IP "\fBsyslog_name (postfix)\fR"
+/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
/* The mail system name that is prepended to the process name in syslog
/* records, so that "smtpd" becomes, for example, "postfix/smtpd".
/* FILES
/* The process name of a Postfix command or daemon process.
/* .IP "\fBqmqpd_authorized_clients (empty)\fR"
/* What clients are allowed to connect to the QMQP server port.
-/* .IP "\fBqmqpd_client_port_logging (no)\fR"
-/* Enable logging of the remote QMQP client port in addition to
-/* the hostname and IP address.
/* .IP "\fBqueue_directory (see 'postconf -d' output)\fR"
/* The location of the Postfix top-level queue directory.
/* .IP "\fBsyslog_facility (mail)\fR"
/* The syslog facility of Postfix logging.
-/* .IP "\fBsyslog_name (postfix)\fR"
+/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
/* The mail system name that is prepended to the process name in syslog
/* records, so that "smtpd" becomes, for example, "postfix/smtpd".
/* .IP "\fBverp_delimiter_filter (-=+)\fR"
/* The characters Postfix accepts as VERP delimiter characters on the
/* Postfix \fBsendmail\fR(1) command line and in SMTP commands.
+/* .PP
+/* Available in Postfix version 2.5 and later:
+/* .IP "\fBqmqpd_client_port_logging (no)\fR"
+/* Enable logging of the remote QMQP client port in addition to
+/* the hostname and IP address.
/* SEE ALSO
/* http://cr.yp.to/proto/qmqp.html, QMQP protocol
/* cleanup(8), message canonicalization
/* The process name of a Postfix command or daemon process.
/* .IP "\fBsyslog_facility (mail)\fR"
/* The syslog facility of Postfix logging.
-/* .IP "\fBsyslog_name (postfix)\fR"
+/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
/* The mail system name that is prepended to the process name in syslog
/* records, so that "smtpd" becomes, for example, "postfix/smtpd".
/* SEE ALSO
/* The location of the Postfix top-level queue directory.
/* .IP "\fBsyslog_facility (mail)\fR"
/* The syslog facility of Postfix logging.
-/* .IP "\fBsyslog_name (postfix)\fR"
+/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
/* The mail system name that is prepended to the process name in syslog
/* records, so that "smtpd" becomes, for example, "postfix/smtpd".
/* FILES
};
static const CONFIG_BOOL_TABLE lmtp_bool_table[] = {
VAR_LMTP_SKIP_5XX, DEF_LMTP_SKIP_5XX, &var_smtp_skip_5xx_greeting,
- VAR_SKIP_QUIT_RESP, DEF_SKIP_QUIT_RESP, &var_skip_quit_resp,
+ VAR_LMTP_SKIP_QUIT_RESP, DEF_LMTP_SKIP_QUIT_RESP, &var_skip_quit_resp,
VAR_LMTP_SASL_ENABLE, DEF_LMTP_SASL_ENABLE, &var_smtp_sasl_enable,
VAR_LMTP_RAND_ADDR, DEF_LMTP_RAND_ADDR, &var_smtp_rand_addr,
VAR_LMTP_QUOTE_821_ENV, DEF_LMTP_QUOTE_821_ENV, &var_smtp_quote_821_env,
/* Time limit for Postfix SMTP client write and read operations
/* during TLS startup and shutdown handshake procedures.
/* .IP "\fBsmtp_tls_CAfile (empty)\fR"
-/* The file with the certificate of the certification authority
-/* (CA) that issued the Postfix SMTP client certificate.
+/* A file containing CA certificates of root CAs trusted to sign
+/* either remote SMTP server certificates or intermediate CA certificates.
/* .IP "\fBsmtp_tls_CApath (empty)\fR"
/* Directory with PEM format certificate authority certificates
/* that the Postfix SMTP client uses to verify a remote SMTP server
static const CONFIG_BOOL_TABLE smtp_bool_table[] = {
VAR_SMTP_SKIP_5XX, DEF_SMTP_SKIP_5XX, &var_smtp_skip_5xx_greeting,
VAR_IGN_MX_LOOKUP_ERR, DEF_IGN_MX_LOOKUP_ERR, &var_ign_mx_lookup_err,
- VAR_SKIP_QUIT_RESP, DEF_SKIP_QUIT_RESP, &var_skip_quit_resp,
+ VAR_SMTP_SKIP_QUIT_RESP, DEF_SMTP_SKIP_QUIT_RESP, &var_skip_quit_resp,
VAR_SMTP_ALWAYS_EHLO, DEF_SMTP_ALWAYS_EHLO, &var_smtp_always_ehlo,
VAR_SMTP_NEVER_EHLO, DEF_SMTP_NEVER_EHLO, &var_smtp_never_ehlo,
VAR_SMTP_SASL_ENABLE, DEF_SMTP_SASL_ENABLE, &var_smtp_sasl_enable,
VAR_SMTP_SENDER_AUTH, DEF_SMTP_SENDER_AUTH, &var_smtp_sender_auth,
VAR_SMTP_CNAME_OVERR, DEF_SMTP_CNAME_OVERR, &var_smtp_cname_overr,
VAR_SMTP_SASL_AUTH_SOFT_BOUNCE, DEF_SMTP_SASL_AUTH_SOFT_BOUNCE, &var_smtp_sasl_auth_soft_bounce,
+ VAR_LMTP_ASSUME_FINAL, DEF_LMTP_ASSUME_FINAL, &var_lmtp_assume_final,
0,
};
void smtp_sasl_start(SMTP_SESSION *session, const char *sasl_opts_name,
const char *sasl_opts_val)
{
+ XSASL_CLIENT_CREATE_ARGS create_args;
+
if (msg_verbose)
msg_info("starting new SASL client");
if ((session->sasl_client =
- xsasl_client_create(smtp_sasl_impl, session->stream, var_procname,
- session->host, sasl_opts_val)) == 0)
+ XSASL_CLIENT_CREATE(smtp_sasl_impl, &create_args,
+ stream = session->stream,
+ service = var_procname,
+ server_name = session->host,
+ security_options = sasl_opts_val)) == 0)
msg_fatal("SASL per-connection initialization failed");
session->sasl_reply = vstring_alloc(20);
}
/* The time limit for Postfix SMTP server write and read operations
/* during TLS startup and shutdown handshake procedures.
/* .IP "\fBsmtpd_tls_CAfile (empty)\fR"
-/* The file with the certificate of the certification authority
-/* (CA) that issued the Postfix SMTP server certificate.
+/* A file containing (PEM format) CA certificates of root CAs trusted
+/* to sign either remote SMTP client certificates or intermediate CA
+/* certificates.
/* .IP "\fBsmtpd_tls_CAfile (empty)\fR"
-/* The file with the certificate of the certification authority
-/* (CA) that issued the Postfix SMTP server certificate.
+/* A file containing (PEM format) CA certificates of root CAs trusted
+/* to sign either remote SMTP client certificates or intermediate CA
+/* certificates.
/* .IP "\fBsmtpd_tls_always_issue_session_ids (yes)\fR"
/* Force the Postfix SMTP server to issue a TLS session id, even
/* when TLS session caching is turned off (smtpd_tls_session_cache_database
const char *sasl_opts_val)
{
const char *mechanism_list;
+ XSASL_SERVER_CREATE_ARGS create_args;
+ int tls_flag;
/*
* Sanity check.
* Set up a new server context for this connection.
*/
#define SMTPD_SASL_SERVICE "smtp"
+#ifdef USE_TLS
+ tls_flag = state->tls_context != 0;
+#else
+ tls_flag = 0;
+#endif
+#define ADDR_OR_EMPTY(addr, unknown) (strcmp(addr, unknown) ? addr : "")
+#define REALM_OR_NULL(realm) (*(realm) ? (realm) : (char *) 0)
if ((state->sasl_server =
- xsasl_server_create(smtpd_sasl_impl, state->client,
- SMTPD_SASL_SERVICE, *var_smtpd_sasl_realm ?
- var_smtpd_sasl_realm : (char *) 0,
- sasl_opts_val)) == 0)
+ XSASL_SERVER_CREATE(smtpd_sasl_impl, &create_args,
+ stream = state->client,
+ server_addr = "", /* need smtpd_peer.c update */
+ client_addr = ADDR_OR_EMPTY(state->addr,
+ CLIENT_ADDR_UNKNOWN),
+ service = SMTPD_SASL_SERVICE,
+ user_realm = REALM_OR_NULL(var_smtpd_sasl_realm),
+ security_options = sasl_opts_val,
+ tls_flag = tls_flag)) == 0)
msg_fatal("SASL per-connection initialization failed");
/*
/* The location of the Postfix top-level queue directory.
/* .IP "\fBsyslog_facility (mail)\fR"
/* The syslog facility of Postfix logging.
-/* .IP "\fBsyslog_name (postfix)\fR"
+/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
/* The mail system name that is prepended to the process name in syslog
/* records, so that "smtpd" becomes, for example, "postfix/smtpd".
/* SEE ALSO
/* The process name of a Postfix command or daemon process.
/* .IP "\fBsyslog_facility (mail)\fR"
/* The syslog facility of Postfix logging.
-/* .IP "\fBsyslog_name (postfix)\fR"
+/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
/* The mail system name that is prepended to the process name in syslog
/* records, so that "smtpd" becomes, for example, "postfix/smtpd".
/* SEE ALSO
/* responses.
/* .IP "\fBsyslog_facility (mail)\fR"
/* The syslog facility of Postfix logging.
-/* .IP "\fBsyslog_name (postfix)\fR"
+/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
/* The mail system name that is prepended to the process name in syslog
/* records, so that "smtpd" becomes, for example, "postfix/smtpd".
/* .PP
/* The location of the Postfix top-level queue directory.
/* .IP "\fBsyslog_facility (mail)\fR"
/* The syslog facility of Postfix logging.
-/* .IP "\fBsyslog_name (postfix)\fR"
+/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
/* The mail system name that is prepended to the process name in syslog
/* records, so that "smtpd" becomes, for example, "postfix/smtpd".
/* SEE ALSO
* Generic server implementation. Specific instances extend this with their
* own private data.
*/
+typedef struct XSASL_SERVER_CREATE_ARGS {
+ VSTREAM *stream;
+ const char *server_addr;
+ const char *client_addr;
+ const char *service;
+ const char *user_realm;
+ const char *security_options;
+ int tls_flag;
+} XSASL_SERVER_CREATE_ARGS;
+
typedef struct XSASL_SERVER_IMPL {
- XSASL_SERVER *(*create) (struct XSASL_SERVER_IMPL *, VSTREAM *, const char *, const char *, const char *);
+ XSASL_SERVER *(*create) (struct XSASL_SERVER_IMPL *, XSASL_SERVER_CREATE_ARGS *);
void (*done) (struct XSASL_SERVER_IMPL *);
} XSASL_SERVER_IMPL;
extern XSASL_SERVER_IMPL *xsasl_server_init(const char *, const char *);
extern ARGV *xsasl_server_types(void);
-#define xsasl_server_create(impl, stream, service, realm, sec_props) \
- (impl)->create((impl), (stream), (service), (realm), (sec_props))
+#define xsasl_server_create(impl, args) \
+ (impl)->create((impl), (args))
+#define XSASL_SERVER_CREATE(impl, args, a1, a2, a3, a4, a5, a6, a7) \
+ xsasl_server_create((impl), (((args)->a1), ((args)->a2), ((args)->a3), \
+ ((args)->a4), ((args)->a5), ((args)->a6), ((args)->a7), (args)))
#define xsasl_server_done(impl) (impl)->done((impl));
/*
* Generic client implementation. Specific instances extend this with their
* own private data.
*/
+typedef struct XSASL_CLIENT_CREATE_ARGS {
+ VSTREAM *stream;
+ const char *service;
+ const char *server_name;
+ const char *security_options;
+} XSASL_CLIENT_CREATE_ARGS;
+
typedef struct XSASL_CLIENT_IMPL {
- XSASL_CLIENT *(*create) (struct XSASL_CLIENT_IMPL *, VSTREAM *, const char *, const char *, const char *);
+ XSASL_CLIENT *(*create) (struct XSASL_CLIENT_IMPL *, XSASL_CLIENT_CREATE_ARGS *);
void (*done) (struct XSASL_CLIENT_IMPL *);
} XSASL_CLIENT_IMPL;
extern XSASL_CLIENT_IMPL *xsasl_client_init(const char *, const char *);
extern ARGV *xsasl_client_types(void);
-#define xsasl_client_create(impl, stream, service, server, sec_props) \
- (impl)->create((impl), (stream), (service), (server), (sec_props))
+#define xsasl_client_create(impl, args) \
+ (impl)->create((impl), (args))
+#define XSASL_CLIENT_CREATE(impl, args, a1, a2, a3, a4) \
+ xsasl_client_create((impl), (((args)->a1), ((args)->a2), ((args)->a3), \
+ ((args)->a4), (args)))
#define xsasl_client_done(impl) (impl)->done((impl));
/*
/*
/* ARGV *xsasl_client_types()
/*
-/* XSASL_CLIENT *xsasl_client_create(implementation, stream, service,
-/* server_name, security_properties)
+/* .in +4
+/* typedef struct XSASL_CLIENT_CREATE_ARGS {
+/* VSTREAM *stream;
+/* const char *service;
+/* const char *server_name;
+/* const char *security_options;
+/* } XSASL_CLIENT_CREATE_ARGS;
+/* .in -4
+/*
+/* XSASL_CLIENT *xsasl_client_create(implementation, create_args)
/* XSASL_CLIENT_IMPL *implementation;
-/* VSTREAM *stream;
-/* const char *service;
-/* const char *server_name;
-/* const char *security_properties;
+/* XSASL_CLIENT_CREATE_ARGS *create_args;
+/*
+/* XSASL_CLIENT *XSASL_CLIENT_CREATE(implementation, create_args,
+/* stream = stream_val,
+/* ...,
+/* security_options = prop_val)
+/* XSASL_CLIENT_IMPL *implementation;
+/* XSASL_CLIENT_CREATE_ARGS *create_args;
/*
/* void xsasl_client_free(client)
/* XSASL_CLIENT *client;
/* security properties. The stream handle is stored so that
/* encryption can be turned on after successful negotiations.
/*
+/* XSASL_CLIENT_CREATE() is a macro that provides an interface
+/* with named parameters. Named parameters do not have to
+/* appear in a fixed order. The parameter names correspond to
+/* the member names of the XSASL_CLIENT_CREATE_ARGS structure.
+/*
/* xsasl_client_free() is called at the end of an SMTP session.
/* It destroys a SASL client instance, and disables further
/* read/write operations if encryption was turned on.
*/
static void xsasl_cyrus_client_done(XSASL_CLIENT_IMPL *);
static XSASL_CLIENT *xsasl_cyrus_client_create(XSASL_CLIENT_IMPL *,
- VSTREAM *,
- const char *,
- const char *,
- const char *);
+ XSASL_CLIENT_CREATE_ARGS *);
static int xsasl_cyrus_client_set_security(XSASL_CLIENT *, const char *);
static int xsasl_cyrus_client_first(XSASL_CLIENT *, const char *, const char *,
const char *, const char **, VSTRING *);
/* xsasl_cyrus_client_create - per-session SASL initialization */
XSASL_CLIENT *xsasl_cyrus_client_create(XSASL_CLIENT_IMPL *unused_impl,
- VSTREAM *stream,
- const char *service,
- const char *server,
- const char *sec_props)
+ XSASL_CLIENT_CREATE_ARGS *args)
{
XSASL_CYRUS_CLIENT *client = 0;
static sasl_callback_t callbacks[] = {
#define NULL_SERVER_ADDR ((char *) 0)
#define NULL_CLIENT_ADDR ((char *) 0)
- if ((sasl_status = SASL_CLIENT_NEW(service, server,
+ if ((sasl_status = SASL_CLIENT_NEW(args->service, args->server_name,
NULL_CLIENT_ADDR, NULL_SERVER_ADDR,
var_cyrus_sasl_authzid ? custom_callbacks :
custom_callbacks + 1, NULL_SECFLAGS,
client->xsasl.free = xsasl_cyrus_client_free;
client->xsasl.first = xsasl_cyrus_client_first;
client->xsasl.next = xsasl_cyrus_client_next;
- client->stream = stream;
+ client->stream = args->stream;
client->sasl_conn = sasl_conn;
client->callbacks = custom_callbacks;
client->decoded = vstring_alloc(20);
for (cp = custom_callbacks; cp->id != SASL_CB_LIST_END; cp++)
cp->context = (void *) client;
- if (xsasl_cyrus_client_set_security(&client->xsasl, sec_props)
+ if (xsasl_cyrus_client_set_security(&client->xsasl,
+ args->security_options)
!= XSASL_AUTH_OK)
XSASL_CYRUS_CLIENT_CREATE_ERROR_RETURN(0);
*/
static void xsasl_cyrus_server_done(XSASL_SERVER_IMPL *);
static XSASL_SERVER *xsasl_cyrus_server_create(XSASL_SERVER_IMPL *,
- VSTREAM *,
- const char *,
- const char *,
- const char *);
+ XSASL_SERVER_CREATE_ARGS *);
static void xsasl_cyrus_server_free(XSASL_SERVER *);
static int xsasl_cyrus_server_first(XSASL_SERVER *, const char *,
const char *, VSTRING *);
/* xsasl_cyrus_server_create - create server instance */
static XSASL_SERVER *xsasl_cyrus_server_create(XSASL_SERVER_IMPL *unused_impl,
- VSTREAM *stream,
- const char *service,
- const char *realm,
- const char *sec_props)
+ XSASL_SERVER_CREATE_ARGS *args)
{
const char *myname = "xsasl_cyrus_server_create";
char *server_address;
if (msg_verbose)
msg_info("%s: SASL service=%s, realm=%s",
- myname, service, realm ? realm : "(null)");
+ myname, args->service, args->user_realm ?
+ args->user_realm : "(null)");
/*
* The optimizer will eliminate code duplication and/or dead code.
#endif
if ((sasl_status =
- SASL_SERVER_NEW(service, var_myhostname,
- realm ? realm : NO_AUTH_REALM,
+ SASL_SERVER_NEW(args->service, var_myhostname,
+ args->user_realm ? args->user_realm : NO_AUTH_REALM,
server_address, client_address,
NO_SESSION_CALLBACKS, NO_SECURITY_LAYERS,
&sasl_conn)) != SASL_OK) {
server->xsasl.next = xsasl_cyrus_server_next;
server->xsasl.get_mechanism_list = xsasl_cyrus_server_get_mechanism_list;
server->xsasl.get_username = xsasl_cyrus_server_get_username;
- server->stream = stream;
+ server->stream = args->stream;
server->sasl_conn = sasl_conn;
server->decoded = vstring_alloc(20);
server->username = 0;
server->mechanism_list = 0;
- if (xsasl_cyrus_server_set_security(&server->xsasl, sec_props)
+ if (xsasl_cyrus_server_set_security(&server->xsasl, args->security_options)
!= XSASL_AUTH_OK)
XSASL_CYRUS_SERVER_CREATE_ERROR_RETURN(0);
char *username; /* authenticated user */
VSTRING *sasl_line;
unsigned int sec_props; /* Postfix mechanism filter */
+ int tls_flag; /* TLS enabled in this session */
char *mechanism_list; /* filtered mechanism list */
ARGV *mechanism_argv; /* ditto */
- MAI_HOSTADDR_STR server_addr; /* local IP address */
- MAI_HOSTADDR_STR client_addr; /* remote IP address */
+ char *client_addr; /* remote IP address */
+ char *server_addr; /* remote IP address */
} XSASL_DOVECOT_SERVER;
/*
*/
static void xsasl_dovecot_server_done(XSASL_SERVER_IMPL *);
static XSASL_SERVER *xsasl_dovecot_server_create(XSASL_SERVER_IMPL *,
- VSTREAM *,
- const char *,
- const char *,
- const char *);
+ XSASL_SERVER_CREATE_ARGS *);
static void xsasl_dovecot_server_free(XSASL_SERVER *);
static int xsasl_dovecot_server_first(XSASL_SERVER *, const char *,
const char *, VSTRING *);
/* xsasl_dovecot_server_create - create server instance */
static XSASL_SERVER *xsasl_dovecot_server_create(XSASL_SERVER_IMPL *impl,
- VSTREAM *stream,
- const char *service,
- const char *realm,
- const char *sec_props)
+ XSASL_SERVER_CREATE_ARGS *args)
{
const char *myname = "xsasl_dovecot_server_create";
XSASL_DOVECOT_SERVER *server;
struct sockaddr_storage ss;
struct sockaddr *sa = (struct sockaddr *) & ss;
SOCKADDR_SIZE salen;
+ MAI_HOSTADDR_STR server_addr;
if (msg_verbose)
msg_info("%s: SASL service=%s, realm=%s",
- myname, service, realm ? realm : "(null)");
+ myname, args->service, args->user_realm ?
+ args->user_realm : "(null)");
/*
* Extend the XSASL_SERVER_IMPL object with our own data. We use
server->impl = (XSASL_DOVECOT_SERVER_IMPL *) impl;
server->sasl_line = vstring_alloc(256);
server->username = 0;
- server->service = mystrdup(service);
+ server->service = mystrdup(args->service);
server->last_request_id = 0;
server->mechanism_list = 0;
server->mechanism_argv = 0;
+ server->tls_flag = args->tls_flag;
server->sec_props =
name_mask_opt(myname, xsasl_dovecot_conf_sec_props,
- sec_props, NAME_MASK_ANY_CASE | NAME_MASK_FATAL);
+ args->security_options,
+ NAME_MASK_ANY_CASE | NAME_MASK_FATAL);
+ server->client_addr = mystrdup(args->client_addr);
/*
- * XXX This is not the right place: it ignores client overrides with the
- * XCLIENT command.
+ * XXX Temporary code until smtpd_peer.c is updated.
*/
- salen = sizeof(ss);
- if (getpeername(vstream_fileno(stream), sa, &salen) < 0
- || sockaddr_to_hostaddr(sa, salen, &server->client_addr, 0, 0) != 0)
- server->client_addr.buf[0] = 0;
- salen = sizeof(ss);
- if (getsockname(vstream_fileno(stream), sa, &salen) < 0
- || sockaddr_to_hostaddr(sa, salen, &server->server_addr, 0, 0) != 0)
- server->server_addr.buf[0] = 0;
+ if (args->server_addr && *args->server_addr) {
+ server->server_addr = mystrdup(args->server_addr);
+ } else {
+ salen = sizeof(ss);
+ if (getsockname(vstream_fileno(args->stream), sa, &salen) < 0
+ || sockaddr_to_hostaddr(sa, salen, &server_addr, 0, 0) != 0)
+ server_addr.buf[0] = 0;
+ server->server_addr = mystrdup(server_addr.buf);
+ }
return (&server->xsasl);
}
argv_free(server->mechanism_argv);
}
myfree(server->service);
+ myfree(server->server_addr);
+ myfree(server->client_addr);
myfree((char *) server);
}
vstream_fprintf(server->impl->sasl_stream,
"AUTH\t%u\t%s\tservice=%s\tnologin\tlip=%s\trip=%s",
server->last_request_id, sasl_method,
- server->service, server->server_addr.buf,
- server->client_addr.buf);
+ server->service, server->server_addr,
+ server->client_addr);
+ if (server->tls_flag)
+ vstream_fputs("\tsecured", server->impl->sasl_stream);
if (init_response) {
/*
/*
/* ARGV *xsasl_server_types()
/*
-/* XSASL_SERVER *xsasl_server_create(implementation, stream, service,
-/* user_realm, security_options)
+/* .in +4
+/* typedef struct XSASL_SERVER_CREATE_ARGS {
+/* VSTREAM *stream;
+/* const char *server_addr;
+/* const char *client_addr;
+/* const char *service;
+/* const char *user_realm;
+/* const char *security_options;
+/* int tls_flag;
+/* } XSASL_SERVER_CREATE_ARGS;
+/* .in -4
+/*
+/* XSASL_SERVER *xsasl_server_create(implementation, args)
+/* XSASL_SERVER_IMPL *implementation;
+/* XSASL_SERVER_CREATE_ARGS *args;
+/*
+/* XSASL_SERVER *XSASL_SERVER_CREATE(implementation, args,
+/* stream = stream_value,
+/* ...,
+/* tls_flag = tls_flag_value)
/* XSASL_SERVER_IMPL *implementation;
-/* const char *service;
-/* VSTREAM *stream;
-/* const char *user_realm;
-/* const char *security_options;
+/* XSASL_SERVER_CREATE_ARGS *args;
/*
/* void xsasl_server_free(server)
/* XSASL_SERVER *server;
/* with the specified security properties. Specify a null
/* pointer when no realm should be used. The stream handle is
/* stored so that encryption can be turned on after successful
-/* negotiations.
+/* negotiations. Specify zero-length strings when a client or
+/* server address is unavailable.
+/*
+/* XSASL_SERVER_CREATE() is a macro that provides an interface
+/* with named parameters. Named parameters do not have to
+/* appear in a fixed order. The parameter names correspond to
+/* the member names of the XSASL_SERVER_CREATE_ARGS structure.
/*
/* xsasl_server_free() is called at the end of an SMTP session.
/* It destroys a SASL server instance, and disables further
/* Arguments:
/* .IP auth_method
/* AUTH command authentication method.
+/* .IP client_addr
+/* IPv4 or IPv6 address (no surrounding [] or ipv6: prefix),
+/* or zero-length string if unavailable.
/* .IP init_resp
/* AUTH command initial response or null pointer.
/* .IP implementation
/* equivalent. This is passed unchanged to the plug-in.
/* .IP server
/* SASL plug-in server handle.
+/* .IP server_addr
+/* IPv4 or IPv6 address (no surrounding [] or ipv6: prefix),
+/* or zero-length string if unavailable.
/* .IP server_reply
/* BASE64 encoded server non-error reply (without SMTP reply
/* code or enhanced status code), or ASCII error description.
projects / thirdparty / postfix.git / commitdiff
